Mailchimp is a great and versatile web application used by lots of websites, it’s easy and secure. But correct implementation by the developer is needed to keep your subscriber data safe, with so many users using Mailchimp, it’s imporant to correctly implement mailchimp security.
When I was randomly testing a mobile application for security, I found an issue which allowed me to get all the mailinglists and mail subscribers from the companies mailchimp account, my guess is that they’re not the only one who miss-implemented mailchimp, so I thought I’d make an article with 3 tips on how to prevent access to your mailchimp subscribers’ data (Names and E-mailaddresses etc..)
1 Don’t add your API key to your mobile app (or frontend html for website)
2 Don’t add your API key to your mobile app (or frontend html for website)
3 Don’t add your API key to your mobile app (or frontend html for website)
Ok, so it’s only one tip, but it’s a very crucial one, your API key is for your eyes only, if someone with bad intent gets a hold of your mailchimp API key, they will be able to retreive all your mailinglists, and subscriber data!
When I was testing this IOS app (which even got featured by apple), I noticed the “subscribe to newsletter” functionality directly posted the E-mailaddress to the mailchimp api:
Let’s try and get all the mailchimp lists through the mailchimp API:
Well that was easy, we now have all the mail lists from the mailchimp account, including their listid.
Now if someone wanted to get the subscribers from the lists all they need to do is go to:
api.mailchimp.com/2.0/lists/members?apikey=(apikey)&id=(listid) and they will get all the subcribers data (first name, last name, email etc.)
Time to find out who this api key belongs to and send them an email 🙂
I notified the company, so they can take steps to implement it right, as an example it would be better to send the subscribe post to your own webserver (eg domain.com/subscribe) with the E-mailaddress, and then from your own server code send the subscription to mailchimp with the API key, so the end user will never get to see the API key.