As everyone else, I got engaged in the recent hype around unroll.me, the tool which promises to unclutter your e-mail subscriptions and newsletters by doing a daily rollup of mails marked as such after scanning your inbox. Alternatively, you can go to the Unroll.me folder in your mail account, e.g. Gmail, and look into all mails which are rolled up. The design is neat, the setup and application very fast and easy.
Unroll.me is already running since 2012 but got a broader coverage during the last few weeks as the rebranding and redesign of the website and tool including a mobile integration apparently bore fruit. Behind unroll.me is a team of developers from New York City. Their website lacks sound information about their backgrounds thought. Several startup blogs and tech platforms already reviewed unroll.me, including Techcrunch, Lifehacker, PCWorld and ZDNet.
Yesterday, I had a short discussion with Johannes, my co-founder, about the tool and he pointed out to me the scale of data mining unroll.me is running and the implications for privacy and data security. As he wanted to know how these unroll mails look like, I forwarded one to him. And then – boom! He could access my whole unroll.me account by just clicking on the rollup mail I forwarded to him!!! No need to log in anywhere, he just could access my subscriptions, doing whatever he wanted to with my data (see the screenshots below for a detailed process breakdown)! THIS. IS. A. TREMENDOUS. SECURITY. HOLE!
Step 1: Rollup mail received.
Step 2: Rollup mail forwarded to a completely different account (I just a web.de account for testing) and browser (I was logged out from my GoogleMail and unroll.me account for this test).
Step 3: Click on one of the previewed and rolled up mails. A new tap with the rolled up mail is opened, including access to the whole account!
Step 4: Access the foreign account with all … rights as normally only the account owner has.
Step 5: Access the ‘Edit your subscriptions’ section and do whatever you want with data which is not your own!!!
I know, of course you shouldn’t (or wouldn’t) forward such mails normally to anybody. But this coincidence showed this serious security hole which left me baffled!
On a technical level, I only have a shallow knowledge about all the possible data mining and data intelligence processes running in the backend of unroll.me but this complete lack of privacy and security frightens me terribly! I don’t even want to think about what they do with the data collected of the hundreds of thousands users they have. All the hackers are probably rolling their eyes (and understandably!) because of my naiveté to install this tool without thinking about the consequences. I just followed the mass; as probably a lot other people did who weren’t aware (or knowingly didn’t care?) about the consequences.
Apparently, the pain to receive so many unwanted e-mails (you initially subscribed to though) is much bigger than people’s concern for their privacy. My burning question now is: Why has nobody written about the tremendous security failures of unroll.me, especially after the recent NSA revelations??? Neither in the reviews on Techcrunch, Lifehacker, PCWorld or ZDNet, any concern about security was mentioned. Not a single one! Nobody seems to care.
We (including me!) need all be so much more aware of what all these tools do to our private data (well, not so private anyway if you already use Gmail…)! If you haven’t used unroll.me yet, keep your fingers away! If you have, delete it as I just did. Swallow down the feeling of stupidity and be a lot more conscious about your future choices on the web! The WWW created so many great opportunities for humanity, but with it came a lot of downsides as well.
__
Update: Session-tokens might be guessable, the one-click login urls include the user reference ID plus the date of the rollup mail.
Interesting. So what makes your rollup.me link, in your email that you forwarded, unique? Is it a long identifier on the URL? What happens if you just randomly change that identifier? Do you get into someone else’s account? Or is it a combination of 2 identifier parameters that have to match?
Sorry got the service name wrong, not used it, and just read your update, so it’s 3 things that have to match? your email, the date and an ID? That’s not ideal, especially if they derive the ID from the but probably pretty secure if they randomly generate and log it somewhere, but either way they should really enforce a login.
Hey Rob, I can’t tell much about the tech details and you probably need to take a few steps to get to the specific url (and you need the original mail obviously) but the missing login really shocked me! From my perspective, this is a major security fail!
Kathleen, thanks for the article. Would love to chat with you. This feature exists for users convenience; otherwise, they would need to log in before reading any email in their rollup each and every day, sometimes multiple times per day.
As you mentioned, if you don’t want people to see your commercial messages, they don’t have to forward the rollup email, so it isn’t a very big risk.
The links in the email are securely signed using HMAC SHA512, so you cannot craft a link to log in as any user unless you have a rollup email.
For additional security, each link expires after 30 days.
If you have any other questions please feel free to reach me at Josh@unroll.me.
Thanks.
@Josh. The way email links usually work is that even with a valid link you have to be logged into the website in question or it will ask you to login for the first link (if you weren’t already logged in). Check out a major site like LinkedIn, having a link from an email isn’t sufficient to access someone’s account, you still have to login if you aren’t already logged in. If you use session cookies for your site and that’s why you’d have to login for every clicked link then you are already annoying your users unnecessarily :-)
I interacted with Unroll.me on a few issues and while I admire their offering’s intent here – I was a bit taken aback by the lack of depth in the responses I got. If they want to avoid the appearance of „don’t look behind the curtain“ – they’re not helping themselves.
First my thoughts are they probably can figure out what to suggest for rollup by headers alone. So, after that, then do they scan the full email content of only items that match the rollup requirement? I asked that and got an ambiguous response – a request for clarification has been submitted.
And the security question remains – why can’t the site only present the roll-up on an active cookie from unrollme to a user who has previously oauthed in? There are other ways to cut this without just saying this is a UX requirement – if it were, tens of sites that interact w/ Google Apps wouldn’t work. And if it is – a better more precise explanation is a good idea to avoid the FUD you (you as in unrollme) is saying exists here. It’s just good policy to clear this up well.
And while I have had other issues with SaneBox – SaneBox has been clear and far more complete in their answers. Below is email chain. Cheers, -Ali
—-
From: Ali-Reza Anghaie
To: Josh Rosenwald
Please clarify that first answer – SaneBox scans headers to make all
determinations. It appears, by necessity of features, you parse bodies when
doing the rollup. Is that the ~only~ time you do it though? Or do you scan
all bodies to determine what to suggest for rollup too or do you do that
via headers only?
I’m disagree – other companies use oauth without forcing us to login over
and over. Isn’t it enough to make sure the user opening the email has a
cookie associated with the last system authenticated on? Creately,
Nitrous.IO, etc. While you may be certain of this answer it’s worth
actually explaining so there is no confusion. FWDing isn’t the only risk
model to consider – every connection back to unrollme now has valuable
information for an attacker anywhere along the path.
And if you roll up, accidentally or through user choice, things that
include password resets, last four of SS #, etc. it’s not going to go away
so easily.
Thank you for your time, -Ali
On Mon, Apr 7, 2014 at 11:53 AM, Josh Rosenwald wrote:
> Hey Ali,
>
> Our system is built to deal with commercial messages, not personal
> messages.
>
> As for the „security hole“ you discovered, there’s not much to fix. Every
> company with Oauth as a log in have this problem. The reality is, if we
> used your suggested fix, a ton of people would have to log back in to oauth
> very many times per day. That’s just not realistic for a smooth UX. The
> best advice I can give people is to not forward emails if you don’t want
> people reading them.
>
> Best,
>
> J
>
>
> On Mon, Apr 7, 2014 at 11:18 AM, Ali-Reza Anghaie wrote:
>
>> Per support – emailed you. I understand you’re busy so I didn’t opt for
>> this first.
>>
>> Beside the more broad questions already below – the question of full
>> content scanning for ~all~ email is still open? I understand the
>> permissions allow it (as it does to SaneBox) but the privacy policy doesn’t
>> address do you continue to scan all email contents or just rolled up email
>> content? What audit trail exists to check this? Other security review?
>>
>> And the general question below, which to my mind still stands. Thank you
>> – we’re trying to figure out if either SaneBox or Unroll.me make sense for
>> a particular set of Google Apps users.
>>
>> Cheers, -Ali
>>
>>
>> ———- Forwarded message ———-
>> From: Unroll.me Support
>> Date: Mon, Apr 7, 2014 at 11:12 AM
>> Subject: [Unroll.me Support] Re: Security question from January response
>> from Unroll.me
>> To: Ali
>>
>>
>> ##- Please type your reply above this line -##
>>
>> [image: Jack]
>>
>> *Jack* (Unroll.me Support)
>>
>> Apr 07 11:12 AM
>>
>> Hi Ali-Reza,
>>
>> Please contact to our CEO, Josh, at XXX to discuss this.
>> Thanks!
>>
>> Best,
>>
>> Jack | Unroll.me Support
>>
>> [image: Ali]
>>
>> *Ali*
>>
>> Apr 06 05:28 AM
>>
>>
>>
>> http:http://startup-stuttgart.de//unroll-me-complete-mail-data-tremendous-security-hole/
>>
>> Has this been fixed? Has other related audit to the security model been
>> done?
>>
>> The answer Founder Josh gave in the comments doesn’t make sense to me
>> either. A ton of sites email out links back that require you’re authed to
>> their site w/o a login each time. Many use Google Apps – like my Nitrous.IO
>> dashboard and others. And those has less permissions in the Google App
>> permissions tab than Unroll.me.
>>
>> Thank you, -Ali
>> This email is a service from Unrollme Support. For more help, see our Help
>> Center or FAQ Page.
>>
>>
>>
>
>
> —
> Josh Rosenwald
> CEO
> Unroll.me
Hi, i believe that i saw you visited my website so i came to go back the prefer?.I am trying to find things to enhance my site!I assume its good enough to use a few of your ideas!!