As everyone else, I got engaged in the recent hype around unroll.me, the tool which promises to unclutter your e-mail subscriptions and newsletters by doing a daily rollup of mails marked as such after scanning your inbox. Alternatively, you can go to the Unroll.me folder in your mail account, e.g. Gmail, and look into all mails which are rolled up. The design is neat, the setup and application very fast and easy.
Unroll.me is already running since 2012 but got a broader coverage during the last few weeks as the rebranding and redesign of the website and tool including a mobile integration apparently bore fruit. Behind unroll.me is a team of developers from New York City. Their website lacks sound information about their backgrounds thought. Several startup blogs and tech platforms already reviewed unroll.me, including Techcrunch, Lifehacker, PCWorld and ZDNet.
Yesterday, I had a short discussion with Johannes, my co-founder, about the tool and he pointed out to me the scale of data mining unroll.me is running and the implications for privacy and data security. As he wanted to know how these unroll mails look like, I forwarded one to him. And then – boom! He could access my whole unroll.me account by just clicking on the rollup mail I forwarded to him!!! No need to log in anywhere, he just could access my subscriptions, doing whatever he wanted to with my data (see the screenshots below for a detailed process breakdown)! THIS. IS. A. TREMENDOUS. SECURITY. HOLE!
Step 1: Rollup mail received.
Step 2: Rollup mail forwarded to a completely different account (I just a web.de account for testing) and browser (I was logged out from my GoogleMail and unroll.me account for this test).
Step 3: Click on one of the previewed and rolled up mails. A new tap with the rolled up mail is opened, including access to the whole account!
Step 4: Access the foreign account with all … rights as normally only the account owner has.
Step 5: Access the ‘Edit your subscriptions’ section and do whatever you want with data which is not your own!!!
I know, of course you shouldn’t (or wouldn’t) forward such mails normally to anybody. But this coincidence showed this serious security hole which left me baffled!
On a technical level, I only have a shallow knowledge about all the possible data mining and data intelligence processes running in the backend of unroll.me but this complete lack of privacy and security frightens me terribly! I don’t even want to think about what they do with the data collected of the hundreds of thousands users they have. All the hackers are probably rolling their eyes (and understandably!) because of my naiveté to install this tool without thinking about the consequences. I just followed the mass; as probably a lot other people did who weren’t aware (or knowingly didn’t care?) about the consequences.
Apparently, the pain to receive so many unwanted e-mails (you initially subscribed to though) is much bigger than people’s concern for their privacy. My burning question now is: Why has nobody written about the tremendous security failures of unroll.me, especially after the recent NSA revelations??? Neither in the reviews on Techcrunch, Lifehacker, PCWorld or ZDNet, any concern about security was mentioned. Not a single one! Nobody seems to care.
We (including me!) need all be so much more aware of what all these tools do to our private data (well, not so private anyway if you already use Gmail…)! If you haven’t used unroll.me yet, keep your fingers away! If you have, delete it as I just did. Swallow down the feeling of stupidity and be a lot more conscious about your future choices on the web! The WWW created so many great opportunities for humanity, but with it came a lot of downsides as well.
Update: Session-tokens might be guessable, the one-click login urls include the user reference ID plus the date of the rollup mail.