rails-security-checklist icon indicating copy to clipboard operation
rails-security-checklist copied to clipboard

Published 20 hours ago verified publisher icon eliotsykes

Consider configuring mail providers (e.g. Mailgun, Mailchimp) not to store, track and/or shorten sensitive URLs (e.g. reset password links, any URL with a token)

Open eliotsykes opened this issue 7 years ago • 3 comments

Mail providers (such as Mailgun & Mailchimp) are often setup to track all links in the emails that are sent through their servers.

This means your provider may be logging and building reports for sensitive URLs that could be exploited (e.g. reset password links sent by email, URLs for digital goods and giftcards).

Considerations:

  • is the tracked URL https or http?
  • if the tracking URL is a short URL, it may be more vulnerable to brute force attacks
  • does the URL need to be tracked?
  • how to disable URL tracking per URL/per email?
  • any mail providers auto-detecting sensitive URLs and actively not tracking them without developer intervention?

eliotsykes avatar Dec 20 '17 11:12 eliotsykes

So according to some reports, Mailgun has been attacked and it involved a client's password reset emails Mailgun were storing (for compliance?) being intercepted. See comments at https://news.ycombinator.com/item?id=16079544

eliotsykes avatar Jan 10 '18 08:01 eliotsykes

Consider adding guideline that if you use Mandrill (not Mailgun), to set view_content_link to false by default:

view_content_link set to false to remove content logging for sensitive emails

https://mandrillapp.com/api/docs/messages.JSON.html#method-send

eliotsykes avatar Jan 10 '18 08:01 eliotsykes

Removed Sendgrid from issue as according to docs on their site they do not log email content: https://sendgrid.com/docs/Classroom/Track/Collecting_Data/is_there_a_way_to_see_the_content_of_transactional_emails_i_send.html

eliotsykes avatar Jan 10 '18 09:01 eliotsykes