Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Let’s Encrypt Exposes User Email Addresses

Server Bug Exposes Email Addresses of 7,618 Let’s Encrypt Users

Server Bug Exposes Email Addresses of 7,618 Let’s Encrypt Users

Thousands of Let’s Encrypt users saw their email addresses being exposed this Saturday, when the open certificate authority (CA) started sending a notification to active subscribers.

Backed by the Electronic Frontier Foundation (EFF) and numerous large Internet and tech companies, Let’s Encrypt is a project aimed at bringing encryption to all areas of the Internet. It provides website owners with free certificates, in an attempt to encourage them to transition to HTTPS to ensure a secure communication between their sites and users’ browsers.

Because of a server glitch, when Let’s Encrypt started sending out emails to its users on June 11 to inform them of an update to its subscriber agreement, the automated system used for that mistakenly prepended email addresses to the body of the message. Because of this issue, recipients could see the email addresses of other subscribers.

Let’s Encrypt ISRG Executive Director Josh Aas explains that the bug was discovered after 7,618 emails were sent, and that the automated system was stopped at that point. He also explains that, because the bug was discovered early, only 1.9% percent of Let’s Encrypt’s subscribers who provided an email address were impacted by the issue.

He also explained that each new message contained the addresses of all previous recipients. “Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones,” Aas reveals.

Given that around 383,000 users subscribed to the open CA’s newsletter, the impact of the glitch could have been much bigger. Aas also appealed to those who accidentally received the email addresses of other users not to post them publicly.

As some of the Let’s Encrypt subscribers who started discussing the issue on the CA’s community forums suggest, the culprit might be the Mandrill transactional email platform from MailChimp. The CA was using this service to send the email notifications and the glitch might have either emerged from the communication between Let’s Encrypt and Mandrill, or from the service itself.

Advertisement. Scroll to continue reading.

According to Aas, the CA is currently investigating the incident and will post more details on the matter soon. “We take our relationship with our users very seriously and apologize for the error. We will be doing a thorough postmortem to determine exactly how this happened and how we can prevent something like this from happening again. We will update this incident report with our conclusions,” he said.

Let’s Encrypt issued its first digital certificate in September last year and entered public beta in December. The CA shed the beta tag in early April 2016, one month after it issued its millionth certificate. In May, EFF announced that the Let’s Encrypt client Certbot was launched in beta.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.