Unroll.me scans your complete mail data and has a tremendous security hole (startup-stuttgart.de)

7 points by ellenberg ↗ HN
Yesterday, I had a short discussion with Kathleen, my co-founder, about the tool and I pointed out the scale of data mining unroll.me is running and the implications for privacy and data security. As I wanted to know how these unroll mails look like, Kathleen forwarded one to me. And then – boom! I could access _her_ whole unroll.me account by just clicking on the rollup mail she forwarded! No need to log in anywhere, I just could access her subscriptions, doing whatever I wanted to with her data. THIS. IS. A. TREMENDOUS. SECURITY. HOLE!

4 comments

[ 1.8 ms ] story [ 20.4 ms ] thread
I'm not sure if this is actually a problem? You wouldn't share your password-recovery e-mail with anyone either?

I guess it's not the best thing to do (and not telling you to not share that mail), but a tremendous security hole? Are the login-tokens they use in the URL guessable? It not, I think that might be a little bit exaggerated...

Session-tokens might be guessable, the one-click login urls include the user reference ID plus the date of the rollup mail.
"Summary of some mostly uninteresting e-mails" doesn't quite feel as important or sensitive as "Password recovery e-mail". Very unintuitive, very surprising.
In my (not actually humble at all) opinion, Unroll.me is a security hole by itself. "Oh yeah, I'll willingly give all of my e-mail data to a third party, what could possibly go wrong?" Although this article is fascinating news, it sounds like "in addition to the hole created by iceberg impact, Titanic also has open portholes above the waterline".

(Before you start pointing out that my e-mail provider has my data - I'm sort of aware of that, and find it as a necessary evil to keep my e-mails flowing; it doesn't follow that I should therefore give access to anyone and everyone)