Quibi, JetBlue, Wish, others accused of disclosing millions of email addresses to advertising organizations via HTTP referrer headers • The VPNOnlineFree

%1$s', sprintf( '', esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ), esc_attr( sprintf( __( 'View all posts by %s', 'generatepress' ), get_the_author() ) ), esc_html( get_the_author() ), get_avatar( get_the_author_meta( 'ID' ) ) ) ); $time_string = ''; if ( get_the_time( 'U' ) !== get_the_modified_time( 'U' ) ) { $time_string = $time_string . ''; } $time_string = sprintf( $time_string, esc_attr( get_the_date( 'c' ) ), esc_html( get_the_date() ), esc_attr( get_the_modified_date( 'c' ) ), esc_html( get_the_modified_date() ) ); printf( '%1$s', // WPCS: XSS ok, sanitization ok. sprintf( '%3$s', esc_url( get_permalink() ), esc_attr( get_the_time() ), $time_string ) ); if ( ! is_single() && ! post_password_required() && ( comments_open() || get_comments_number() ) ) { echo ''; comments_popup_link( __( 'Comments', 'generatepress' ), __( '1 Comment', 'generatepress' ), __( '% Comments', 'generatepress' ) ); echo ''; } ?>


The biz short film Quibi, the airline JetBlue, the shopping site Wish and several other companies have disclosed millions of email addresses to advertising tracking and analytics companies via HTTP request headers, they say.

According to results Published on Wednesday by Zach Edwards, of the digital strategy firm Victory Medium, these companies have communicated these contact details to advertising networks and others in recent years. Among the websites identified by Edwards – a group that also includes Mailchimp, The Washington Post, NGPVan.com, KongHQ and GrowingChild.com – some quickly changed their websites when they learned of the problem, but others did not. .

And while this disclosure of email addresses to third parties can be covered in high-level terms buried in corporate privacy policies, it is a reminder of the ease with which websites can pass your personal information on. a wink. without realizing it.

People using web browsers that prioritize defenses against tracking ads, such as Brave, Firefox, and Safari, or who have installed appropriate privacy extensions in other browsers, may have avoided their email address be diverted.

How's it going

When someone tries to visit a page on a website – for example, by clicking a link or button – their browser creates a HTTP request for this page, and sends it to the website. This request contains a URL address for the page, and that URL may contain information relevant to the request. The HTTP request can also contain something called a referent header, which specifies the URL of the web page you just visited.

Now imagine that you click on a link to a web page, and its URL contains your email address. Your browser requests and receives this web page, which then instructs your browser to automatically search for files, such as images and JavaScript, from other websites. When your browser requests these tracking files, the referrer header in HTTP requests will be the URL you just opened – which, remember, contains your email address. This web page has now disclosed your contact information to these other sites.

Quibi, the recently launched short video sharing app, is doing just that, said Edwards. When a new user signed up with an email address, that person received an email with an account creation confirmation link. By clicking on this link, the user accessed a web page with the following URL, which contained the email address for their account:


This verification page, once retrieved, automatically reached other servers to request JavaScript code and other files – with the URL of this verification page, containing the registration address, in the head of the HTTP request referent. Quibi shared the user's email address in plain text to advertising partners, such as Google's DoubleClick, Google Tag Manager, Google Analytics, Facebook Analytics, Twitter, Snapchat and others. These websites could link your interest in Quibi to your email address in order to target you with personalized ads, for example.

Quibi did not immediately respond to a request for comment. According to Edwards, the company no longer distributes email addresses as described above. Quibi's privacy policy states that it shares people's information with ad networks, although there is no specific mention of email addresses shared in this way.

JetBlue is also said to have disclosed email addresses from a registration web page and was alerted to the deficiency in March. “After being informed of the leak, JetBlue said they would never do what they do because it would be against the law,” said Edwards in his report.

The airline did not immediately respond to a request for comment. As with Quibi, the privacy policy indicates that e-mail addresses may be disclosed for commercial purposes, but does not explicitly state how.

In the past two years, Wish.com has transmitted millions of email addresses, in base64 encoding, which is not encryption, we are told.

“From July 2018 to January 2020, when this research was originally shared with Wish.com, Wish forwarded user emails to at least Google, Facebook, Pinterest, Criteo, PayPal and Stripe, and potentially to other companies, “said Edwards. Several thousand of these messages have apparently been cached by search engines such as URLscan.io.

Sand footprints photo via Shutterstock

You got a job, Cupertino: Apple's smart tracking protection actually gets tracking protection


Glenn Lehrman, veep and communications manager at Wish.com, said The register the company considers data protection and user trust to be a top priority. He said that after receiving the Edwards report earlier this year, the biz made a few changes, including adding encryption to protect the email addresses of users in transit.

Lehrman said he did not agree with Edwards' findings, noting that the websites receiving the email addresses acted as service providers, performing advertising and business support functions.

“Zach disputes the specific way in which the data from the web referrer was encoded (in a chain that is not human-readable) and supposes that the large service providers could theoretically have first ingested and then taken measures to decode this data” said Lehrmann. “We have no reason to believe that this happened. Certainly, these companies had no reason to do so, and in any event, it is certainly not a” violation “to provide service provider of such coded information. “

E-mail addresses are considered personally identifiable information under the general European data protection regulations, said Edwards. The register. Exposing this data could pose problems for companies operating in Europe.

The California Consumer Privacy Act is less clear. “This is why Wish said that all of its ad tech partners are” service providers “- it's the one who opens in the ACCP to be able to share data this way,” he added.

Despite this, Edwards believes that none of the organizations he identified has made this data sharing clear enough in their privacy policies.

Edwards said he doubts the leaks were accidental. “It is certainly not an accident when most organizations do,” he said, noting that the practice is a widely known and widely used “growth hack”.

“It improves retargeting opportunities and improves attribution in analytics systems,” he said. “Ad technology companies like Adroll had a” shotgun “that would retrieve emails from URls for years and that’s a known strategy. Liveramp has a user graph with huge amounts of email and tons of ad networks have email correspondence like Facebook Custom Audience. Being pushed to ad networks is almost always deliberate and it's profitable for the people who do it. “®

Office 365 client-to-client migration tips


Notify of
Inline Feedbacks
View all comments