• About
  • Armour in Texts
    • English Wills and Inventories
    • French and Burgundian Military Ordinances
    • Greek and Roman Inscriptions and Papyri
    • Lydgate’s Troy Book
    • Murḍa al-Tarṣuṣi
    • Nineteenth-Century Travellers and Researchers
    • Pedro de Aguado on Armour in New Spain
    • Records of the Armourers’ Company of London
    • Rule of the Pourpointiers of Amiens
    • Rules of the Paris Guilds
    • Rules of the Troyes Guilds
    • Rules of the Venetian Guilds
    • Statutes and Privileges of the Armourers and Scabbardmakers of the City of Angers
    • The Book of the Hirelings of the Republic of Florence
    • The Norwegian King’s Mirror
  • My Articles
  • Resources
    • Active Open-Access Venues in Ancient World Studies
    • Building a Website to Last
    • COVID-19
    • Fashion in the Age of Datini
      • Bocksten Cloaks
      • Crossbows
      • Extant Quilted Garments
      • How Heavy Were Doublets and Pourpoints?
      • Sheaths and Sword-Belts
      • The Baggage of a Student in 1347
    • Project TUPPU
    • Reenacting the Archaic and the Long Sixth Century
      • Cooking, Eating, and Drinking
      • Edgetools
      • Firestarting
      • Recipes
      • Replica Edgetools
      • Shoes and Sandals
    • Suppliers for Historical Crafts
  • Support
  • Why no Facebook/Google+/LinkedIn/Tumblr/… buttons?
    • My Social Media Policy

Book and Sword

~ Pontifex minimus

Book and Sword

Tag Archives: substack

Substack Transmits User Email Addresses in Plain Text

04 Sunday Apr 2021

Posted by Sean Manning in Modern

≈ Leave a comment

Tags

modern, security and privacy, software engineering, state of the web, substack

the landing page for Brad Delong's Substack newsletter
Apparently Substack encourages open discussion threads once a week or month. This has been a common way of encouraging engagement with ‘chatty’ blogs for at least a decade, whether they are hosted by Substack or Blogger

At first I thought substack were just good self-promoters. They managed to convince people to lend them more than $80 million to launch a blog platform with 2010s aesthetics. Most blog platforms will deliver posts by RSS or email if you sign up, and paid and unpaid newsletters go back to the 19th century. Getting people with too much money to give you some is harmless, and convincing people to read and write blogs is good. But then @22@octodon.social suggested I should look at their source code and I saw something as beautiful as the tale of Emperor Norton of the United States.

If you right-click a Substack page and click ‘view source,’ you will see some sections for tracking pixels. These are tiny transparent images which uniquely identify the copy of an email or a webpage sent to a specific person. They are one of the ways sites track you around the web and after you sign out, which is why its a good idea to block HTML and images in your email client. But these images have some metadata attached, and that metadata appears in the text of the page.

<script>window._analyticsConfig = {"user":null,"properties":{"subdomain":"braddelong","publication_id":47874,"has_plans":true,"pub_community_enabled":true,"parent_publication_id":null,"parent_publication_subdomain":null,"is_parent_publication":false,"is_subscribed":false,"is_free_subscribed":false,"is_author":false,"is_contributor":false,"is_admin":false},"optimizelySdkKey":"5kEkU44ABjPW9geWS8dGD"}</script>
        https://cdn.substack.com/min/main.bundle.js?v=12ce06-17894e63490

        <!-- Fallback tracking pixels -->

If you signed up in this browser, or arrived in this window from one of their emails, the user field is filled in with something like:

{"id":12345678, "name":null,"email":"notmyrealaddress+somesubstack@protonmail.com"}, "anonymousId":"abcdefgh-ijkl-mnop-qrst-uvwxyz123456"}

if you were not using HTTPS, anyone between you and your server can see which page and which newsletter someone with your email address and username was visiting. And if you submit the page to the Wayback Machine, your address and other personal information will be archived for posterity. If you use substack and comment on one of those discussion threads, will the email addresses and usernames of everyone who comments be archived? They have fields for Facebook and Google tracking IDs, so anyone who has access to those (and the aspects of your identity they reveal) can search for them. For example, if a cracker wanted to spear phish you, he could use this to send an email that looks like an update from one of your newsletters with a link you really should not click on or attachment you really should not open. The same ID is attached to Substack pages which you did not subscribe to, as long as you have not cleared your history since the last time you subscribed, logged in, or clicked a link in one of their newsletters.

The hilarious thing is that Substack is aware of the undergraduate computer science concept of running user information through a hash function to get an anonymous unique ID and using that in public. Just look at that anonymousId field! A company which just got given $65 million to promote a blog platform is making an elementary security and privacy error. And they are far from the only Southern California software company which does not seem to be very good at developing software (just look at Patreon, if you can bear to load one of their pages!) As I said a year ago, the adults in the room are not, they are just the latest generation of smooth talkers using fancy words and the right dress and deportment to convince rich people to give them money to build a beautiful dream.

A quick duck-duck-go did not reveal any posts on the subject. Some rhapsodize about tracking pixels, but not that your email address is visible in the source code. So why does it take a mad orientalist[1] to notice this? Anyone can right click the page and view source and search for keywords. The terms “confidence game” and “con man” grew out of 19th century New York City, and on the other side of the continent, people are playing the same old game.

[1] I have a diploma that says “orientalist” and I don’t have a mens sana in corpore sano right now.

Recent Posts

  • Fiscal Crisis at Laurentian University, Ontario
  • A Path not Taken
  • Substack Transmits User Email Addresses in Plain Text
  • Building a Website to Last in the 2020s
  • So Take Your Last Look Upon Sunshine and Brook: Citino’s “Death of the Wehrmacht”

Recent Comments

A Path not Taken | B… on Some Addenda to the History of…
Sean Manning on Science Fiction with Egyptian…
russell1200 on Science Fiction with Egyptian…
russell1200 on Science Fiction with Egyptian…
Substack Transmits U… on Some Thoughts on “The Sm…

Archives

  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013

Categories

  • Ancient
  • Medieval
  • Modern
  • Not an expert
  • Uncategorized

Blogroll

  • .. clericus .. making art technological sources accessible
  • A Collection of Unmitigated Pedantry
  • A Durham Weaver
  • A Fencer's Ramblings
  • A Hot Cup of Joe
  • Aardvarchaeology
  • Active History
  • Ad Astra per Mundum
  • Albrechts Bösser
  • Alec Nevala-Lee
  • An Elegant Weapon
  • Ancient World Magazine
  • Andrew Holt: History, Religion, and Foreign Affairs
  • ANE: Just the Facts
  • Angry Staff Officer
  • Anthropologist in the Attic ~2017
  • Archäotechnik- textile Fläche
  • Archeothoughts
  • Artistic License or Why I Trust No One
  • Aryballos: Cdn Research Grp for Ancient Sport
  • Ask the Past
  • Backreaction
  • Bad Science † 2017
  • Balkan Celts
  • Bibliographia Iranica
  • Boke of the Wardrobe
  • Bow vs. Musket
  • Bread & Circuses ~2016
  • Carolyn Willikes
  • Celsus
  • Classics at the Intersections
  • Constantinus Africanus
  • Dan Cohen
  • Dr. Caitlyn R. Green
  • Dr. Conor Whately: Byzantine (OED) "Intricate, Complicate; Inflexible, Rigid, Unyielding"
  • Dr. Ellie Bennett
  • elamit.net
  • Encyclopaedia Iranica
  • Erik D. Schmidt
  • Erik Kwakkel
  • Ex Urbe
  • Executed Today
  • Forensic Fashion
  • Found in Antiquity ~2015
  • Gates of Nineveh
  • Geocurrents † 2016
  • Great Ming Military
  • Hammered Out Bits
  • Handling the Humanities
  • History From Below
  • Hollow Lakedaimon
  • Hook and Eye
  • Ian Milligan
  • Institute for the Study of War
  • International Armizare Society
  • Janice Liedl
  • jfleck at Inkstain
  • Karen Selk Textile Artist
  • Katafalk
  • Ken Mondschein
  • Kiwi Hellenist
  • Kristina Killgrove, PhD
  • Kung Fu Tea
  • La Cotte Simple
  • Language Hat
  • Languages of the World † 2016
  • Linguistrix
  • Loose Threads: Yet Another Costuming Blog
  • Macro-Typography
  • Magistra et Mater
  • Matthew Amt's Greek Hoplite Page
  • Medieval Manuscripts Blog
  • Milesian Tales
  • Mons Graupius
  • Moonspeaker
  • Muhlberger's World History
  • Neues aus der Gothik
  • Neurodojo
  • New At LacusCurtius and Livius † 2014
  • Paleopix
  • pallia: Katrin Kania
  • Paola Fabbri
  • Papyrus Stories
  • Pen, Book, Sword
  • Persian Things
  • Professeur … Ou Pas
  • Publishing Archaeology
  • Reportret
  • Robin Writes
  • Rogue Classicism
  • Royal Oak Armoury
  • Saewulf (Tumblr)
  • Sardinian Warrior
  • School of the Renaissance Soldier
  • Scott Manning: Historian on the Warpath
  • Shtetl-Optimized
  • Silk Road Gourmet ~2018
  • Sparta Reconsidered
  • Sphinx
  • Sprang Lady
  • St. Thomas Guild
  • Tales of Times Forgotten
  • Tetsuji No Llama
  • The Melammu Project
  • The Royal Road
  • Theoretical Structural Archaeology
  • Tracy's Middle East
  • Traditions of Conflict
  • Violent Metaphors
  • Vortigern Studies
  • Website of a Historical Polymath
  • West's Meditations † 2018
  • Wide Urban World
  • Zenobia: Empress of the East ~2017

Meta

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.com

Blog at WordPress.com.

Cancel

 
Loading Comments...
Comment
    ×