Hacker News new | past | comments | ask | show | jobs | submit login
Unroll.me scans your complete mail data and has a tremendous security hole (startup-stuttgart.de)
7 points by ellenberg on Jan 10, 2014 | hide | past | web | favorite | 4 comments

In my (not actually humble at all) opinion, Unroll.me is a security hole by itself. "Oh yeah, I'll willingly give all of my e-mail data to a third party, what could possibly go wrong?" Although this article is fascinating news, it sounds like "in addition to the hole created by iceberg impact, Titanic also has open portholes above the waterline".

(Before you start pointing out that my e-mail provider has my data - I'm sort of aware of that, and find it as a necessary evil to keep my e-mails flowing; it doesn't follow that I should therefore give access to anyone and everyone)

I'm not sure if this is actually a problem? You wouldn't share your password-recovery e-mail with anyone either?

I guess it's not the best thing to do (and not telling you to not share that mail), but a tremendous security hole? Are the login-tokens they use in the URL guessable? It not, I think that might be a little bit exaggerated...

"Summary of some mostly uninteresting e-mails" doesn't quite feel as important or sensitive as "Password recovery e-mail". Very unintuitive, very surprising.

Session-tokens might be guessable, the one-click login urls include the user reference ID plus the date of the rollup mail.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact