Quibi, JetBlue, Others Leaked Millions of Emails

Hundreds of millions of people might have had their email addresses given to advertising and analytics companies. According to a new report, brands such as the Washington Post and Mailchimp have been quietly leaking the personal data—often for years.

It’s yet another reminder of how the secretive adtech industry uses any signal at their disposal to build up identifiable profile information on us all. The list of (ahem) “accidental” leakers also includes Quibi, Wish, JetBlue, Mandrill, Growing Child, NGPVan/EveryAction and KongHQ/Mashape.

The more you scratch the surface of this sort of thing, the less it looks like an accident. In today’s SB Blogwatch, we’re as mad as hell, and we’re not going to take this anymore.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Jim’s best scambait so far.


Adtech URL FAIL

What’s the craic? Tiffany Hsu reports—“Personal data from millions of customers ended up with Google, Facebook and other trackers, making it easier for them to be tracked online and targeted with ads”:

 Millions of … email addresses … ended up in the hands of advertising and analytics companies like Google, Facebook and Twitter. … The customers unwittingly exposed their email addresses when signing up for apps or clicking on links in marketing emails … according to a report.

The researcher, Zach Edwards [said], “This hack used to be something that only very niche and sophisticated developers understood … but now the entire ad-tech industry understands it.” [And that] one of the “most egregious” leaks involved Quibi, a short-form video platform based in Los Angeles that is run by the veteran executives Jeffrey Katzenberg and Meg Whitman; [it] went live on April 6.

“In 2020, no new technology organizations should be launching that leaks all new user-confirmed emails to advertising and analytics companies,” Mr. Edwards wrote. “Yet that’s what Quibi apparently decided to do.”

Quibi said … data security “is of the highest priority” and that “the moment the issue on our webpage was revealed to our security and engineering team, we fixed it immediately.” … Wish strengthened its data protection measures after hearing from Mr. Edwards this year, the company said. [JetBlue] said in a statement that it was taking Mr. Edwards’s concerns seriously and would review his findings. … Google did not immediately respond to a request for comment.

How did it work? Jon Porter carries the story on—“Quibi’s email verification process reportedly sent data to multiple ad firms”:

 Since it’s launch on April 7th, Quibi says over 2.7 million people have downloaded its app. The service is built around short-form video … designed to be watched on mobile devices.

When a new user signed up to the streaming service, they received an email with a verification link. Clicking that link appended their address to the URL and sent it in plain text to multiple other companies.

Edwards says that it’s unlikely Quibi was unaware of the issue: “It’s an extremely disrespectful decision to purposefully leak all new user emails to your advertising partners, and there’s almost no way that numerous people at Quibi were not only aware of this plan, but helped to architect this user data breach.” [He] said he confirmed that email addresses were still being leaked as late as April 26th.

Yikes. If true, it’s appalling. Zach Edwards rants—“URL Querystring Data Leaks — Millions of User Emails Leaking from Popular Websites”:

 Depending on how a website sets up their marketing systems, typically email systems and new user signup flows, the user emails can accidentally and/or purposefully leak to companies across the global data supply chain. … One important trend to notice is how often Google, … DoubleClick, Facebook, and Twitter are ingesting the user emails.

The organizations included in this research have hundreds of millions of emails and real users between them. … Only Wish.com, Mailchimp and The Washington Post took this report on their user email breaches seriously … whereas many other organizations either didn’t respond or have failed to take any action.

When any 3rd party Javascript code loads on a website, metadata from the user and the website can be transmitted. … This data can include what page a user is visiting, what type of device and browser they are using, their location, and other forms of fingerprinting / cookies / URL. … Several of the breaches involve … user emails — this is when you can literally read the email in the URL.

The Wish.com breach was the largest out of all the examples in this research, and it lasted over a year and likely involved hundreds of millions of user emails … being shared with analytics and advertising companies. But their work … to rebuild their systems was a dramatically better response than how other organizations handled these reports. [But] it does not appear Wish has informed their users of this user email breach … to 3rd party advertising and analytics companies including Google, Facebook, Pinterest, Criteo, PayPal … Stripe, and potentially other companies.

JetBlue has known about their ongoing data breach since March 2020 … but still haven’t made any changes. … JetBlue stated they would never do what they are doing because it would be against the law. [But] the companies receiving data from Jetblue includes basically all the major … and all the niche but major advertising players … (April’s test showed 45 … pixels).

Out of all the data breaches in this research, the Quibi research is the hardest to swallow. … Quibi sends the data to advertising and analytics companies: … DoubleClick … Google … Google Tag Manager … (thus leaking this to more companies) … Twitter … Snapchat … cloudfunctions.net … civiccomputing.com … Facebook … liveramp.com, SkimAds, and Tapad — it seems likely that … the list included here could be incomplete.

It’s 2020, and this type of growth-hack needs to stop. … Quibi needs to explain to their users why this was done and why it hasn’t been changed even after being notified.

Whoa. Sam Petherbridge—@MrSamPeth—sounds the alarm:

 This research should simply not be required in 2020. GDPR should have been a wakeup call to all organisations that they need to be aware of what data is in URLs and who has access to that data.

Put simply: Identifiers do not belong in URL strings. … There is a need for this information to occasionally be in URLs and in such instances there should be unique one time ids.

All providers of adtech should be proactive in checking the data that they are receiving has no such data. … It is not hard and does not take long!

But but but, “Data protection is essential to Quibi.” James5mith scoffs thuswise:

 Then you would have done a security audit before launching the service [and] the app would never launch without serious security overviews.

So you can’t trust ’em? PhantomHarlock says we should take matters into our own hands:

 That’s why I use tracker addresses. … I use a separate address for each online vendor I deal with. … Then I know exactly where it came from. … Every once in a while one gets out.

I use a now orphaned service called Spamarrest to create unlimited tracker addresses, but the site hasn’t been updated in years and is basically kept on life support. … But I believe Gmail and some other services have the ability to create tracker / burner addresses these days.

Wait. Pause. rnd_dude428673 offers a big “meh”:

 Considering how “not secure” email is in general and how easy it is for this information to be passed around behind the scenes this is almost a non-story. [It] really stunk of an attempt to over-sensationalize some sloppy coding that is probably happening on 50% of the websites in the world.

But, tip pc wants to talk about it more, not less:

 URL referral should be talked about more. … More people should know about how browsers pass on details of the previous page visited. … So many things going on behind the scenes we have little knowledge of.

I always close a tab before going to a new site. I shouldn’t have to though.

Meanwhile, how much do you bet that this Anonymous Coward used to be an HPE employee?

 If Quibi missed that in their development and testing, you can bet that their business model is based on tracking and selling info on what people watch. Anyone who trusts Meg Whitman is making a mistake.

And Finally:

Hilarious: Making life hell for scammers

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image sauce: Brigitte Werner (Pixabay)

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 190 posts and counting.See all posts by richi