Unroll.me scans your complete mail data and has a tremendous security hole (startup-stuttgart.de)
Yesterday, I had a short discussion with Kathleen, my co-founder, about the tool and I pointed out the scale of data mining unroll.me is running and the implications for privacy and data security. As I wanted to know how these unroll mails look like, Kathleen forwarded one to me. And then – boom! I could access _her_ whole unroll.me account by just clicking on the rollup mail she forwarded! No need to log in anywhere, I just could access her subscriptions, doing whatever I wanted to with her data. THIS. IS. A. TREMENDOUS. SECURITY. HOLE!
4 comments
[ 1.8 ms ] story [ 20.4 ms ] threadI guess it's not the best thing to do (and not telling you to not share that mail), but a tremendous security hole? Are the login-tokens they use in the URL guessable? It not, I think that might be a little bit exaggerated...
(Before you start pointing out that my e-mail provider has my data - I'm sort of aware of that, and find it as a necessary evil to keep my e-mails flowing; it doesn't follow that I should therefore give access to anyone and everyone)