back to article Quibi, JetBlue, Wish, others accused of leaking millions of email addresses to ad orgs via HTTP referer headers

Short-video biz Quibi, airline JetBlue, shopping site Wish, and several other companies leaked million of people's email addresses to ad-tracking and analytics firms through HTTP request headers, it is claimed. According to findings published Wednesday by Zach Edwards, of digital strategy firm Victory Medium, these businesses …

  1. Jamie Jones Silver badge
    Headmaster

    For the past two years, Wish.com has been transmitting millions of email addresses, in base64 encoding, which is not encryption, we're told.

    You've been told correctly - base64 encoding isn't encryption!

  2. tip pc Silver badge
    Unhappy

    URL referral should be talked about more

    More people should know about how browsers pass on details of the previous page visited.

    I always close a tab before going to a new site. I shouldn’t have to though.

    So many things going on behind the scenes we have little knowledge of.

    1. Jamie Jones Silver badge

      Re: URL referral should be talked about more

      I suppose the problem lies with those "apps" which are basically just customised front-ends to a web browser, and don't show the URL.

    2. David Nash

      Re: URL referral should be talked about more

      Passing on the referrer as the *page* you came from is one thing, but passing on the full url including personal stuff like this is more than some might expect.

  3. Trollslayer Silver badge
    Holmes

    Call me suspicious

    But when I see base64 on a URL just out of curiosity I remove it then lo and behold the URL still works

  4. MatthewSt Silver badge

    Easy Fix

    All they need to do is send a Referrer-Policy in their response headers and that problem will magically go away!

    https://scotthelme.co.uk/a-new-security-header-referrer-policy/

  5. Joe Drunk
    Trollface

    I feel so guilty for blocking all ads

    /s

  6. doublelayer Silver badge

    Edwards said he doubts these leaks are accidental.

    And they definitely aren't. Just look at the responses. Companies are encrypting their addresses now. Yay. Except the response for someone who doesn't want to leak them would be to change the page source so referer [sic] headers either aren't sent or exclude that information. I can think of three different ways to do that that each can be implemented in about an hour. Nope, they'll encrypt them. They won't bother stating that they've already sent the keys to the provider; they figure we already know that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021