

Unroll.me scans your complete mail data and has a tremendous security hole - ellenberg
http://startup-stuttgart.de/unroll-me-complete-mail-data-tremendous-security-hole/
Yesterday, I had a short discussion with Kathleen, my co-founder, about the tool and I pointed out the scale of data mining unroll.me is running and the implications for privacy and data security. As I wanted to know how these unroll mails look like, Kathleen forwarded one to me. And then – boom! I could access _her_ whole unroll.me account by just clicking on the rollup mail she forwarded! No need to log in anywhere, I just could access her subscriptions, doing whatever I  wanted to with her data. THIS. IS. A. TREMENDOUS. SECURITY. HOLE!
======
Piskvorrr
In my (not actually humble at all) opinion, Unroll.me is a security hole by
itself. "Oh yeah, I'll willingly give all of my e-mail data to a third party,
what could possibly go wrong?" Although this article is fascinating news, it
sounds like "in addition to the hole created by iceberg impact, Titanic also
has open portholes above the waterline".

(Before you start pointing out that my e-mail provider has my data - I'm sort
of aware of that, and find it as a necessary evil to keep my e-mails flowing;
it doesn't follow that I should therefore give access to anyone and everyone)

------
provito
I'm not sure if this is actually a problem? You wouldn't share your password-
recovery e-mail with anyone either?

I guess it's not the best thing to do (and not telling you to not share that
mail), but a tremendous security hole? Are the login-tokens they use in the
URL guessable? It not, I think that might be a little bit exaggerated...

~~~
Piskvorrr
"Summary of some mostly uninteresting e-mails" doesn't _quite_ feel as
important or sensitive as "Password recovery e-mail". Very unintuitive, very
surprising.

