Security News > 2020 > April > Quibi, JetBlue, Wish, others accused of leaking millions of email addresses to ad orgs via HTTP referer headers

Quibi, JetBlue, Wish, others accused of leaking millions of email addresses to ad orgs via HTTP referer headers
2020-04-30 22:48

Short-video biz Quibi, airline JetBlue, shopping site Wish, and several other companies leaked million of people's email addresses to ad-tracking and analytics firms through HTTP request headers, it is claimed.

Netizens using web browsers that prioritize defenses against ad tracking, such as Brave, Firefox, and Safari, or who have installed suitable privacy extensions in other browsers, may have avoided having their email addresses spirited away.

When your browser requests those follow-up files, the referer header in the HTTP requests will be the URL you just opened - which, don't forget, contains your email address.

In effect, Quibi shared the user's email address in plaintext to ad partners, such as Google's DoubleClick, Google Tag Manager, Google Analytics, Facebook Analytics, Twitter, Snapchat, and others.

"Ad tech Companies like Adroll had a 'data shotgun' that grabbed emails in URls for years and this is a known strategy. Liveramp has a user graph with huge amounts of emails and tons of ad networks have email matching like Facebook Custom Audience. Email being pushed to ad networks is almost always on purpose and it's profitable for folks who do it." .


News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/30/email_http_leakage/