Tag Archives: substack

Substack Transmits User Email Addresses in Plain Text

04 Sunday Apr 2021

Posted by in Modern

Leave a comment

Tags

, , , ,

the landing page for Brad Delong's Substack newsletter
Apparently Substack encourages open discussion threads once a week or month. This has been a common way of encouraging engagement with ‘chatty’ blogs for at least a decade, whether they are hosted by Substack or Blogger

At first I thought substack were just good self-promoters. They managed to convince people to lend them more than $80 million to launch a blog platform with 2010s aesthetics. Most blog platforms will deliver posts by RSS or email if you sign up, and paid and unpaid newsletters go back to the 19th century. Getting people with too much money to give you some is harmless, and convincing people to read and write blogs is good. But then @22@octodon.social suggested I should look at their source code and I saw something as beautiful as the tale of Emperor Norton of the United States.

If you right-click a Substack page and click ‘view source,’ you will see some sections for tracking pixels. These are tiny transparent images which uniquely identify the copy of an email or a webpage sent to a specific person. They are one of the ways sites track you around the web and after you sign out, which is why its a good idea to block HTML and images in your email client. But these images have some metadata attached, and that metadata appears in the text of the page.

<script>window._analyticsConfig = {"user":null,"properties":{"subdomain":"braddelong","publication_id":47874,"has_plans":true,"pub_community_enabled":true,"parent_publication_id":null,"parent_publication_subdomain":null,"is_parent_publication":false,"is_subscribed":false,"is_free_subscribed":false,"is_author":false,"is_contributor":false,"is_admin":false},"optimizelySdkKey":"5kEkU44ABjPW9geWS8dGD"}</script>
        https://cdn.substack.com/min/main.bundle.js?v=12ce06-17894e63490

        <!-- Fallback tracking pixels -->

If you signed up in this browser, or arrived in this window from one of their emails, the user field is filled in with something like:

{"id":12345678, "name":null,"email":"notmyrealaddress+somesubstack@protonmail.com"}, "anonymousId":"abcdefgh-ijkl-mnop-qrst-uvwxyz123456"}

if you were not using HTTPS, anyone between you and your server can see which page and which newsletter someone with your email address and username was visiting. And if you submit the page to the Wayback Machine, your address and other personal information will be archived for posterity. If you use substack and comment on one of those discussion threads, will the email addresses and usernames of everyone who comments be archived? They have fields for Facebook and Google tracking IDs, so anyone who has access to those (and the aspects of your identity they reveal) can search for them. For example, if a cracker wanted to spear phish you, he could use this to send an email that looks like an update from one of your newsletters with a link you really should not click on or attachment you really should not open. The same ID is attached to Substack pages which you did not subscribe to, as long as you have not cleared your history since the last time you subscribed, logged in, or clicked a link in one of their newsletters.

The hilarious thing is that Substack is aware of the undergraduate computer science concept of running user information through a hash function to get an anonymous unique ID and using that in public. Just look at that anonymousId field! A company which just got given $65 million to promote a blog platform is making an elementary security and privacy error. And they are far from the only Southern California software company which does not seem to be very good at developing software (just look at Patreon, if you can bear to load one of their pages!) As I said a year ago, the adults in the room are not, they are just the latest generation of smooth talkers using fancy words and the right dress and deportment to convince rich people to give them money to build a beautiful dream.

A quick duck-duck-go did not reveal any posts on the subject. Some rhapsodize about tracking pixels, but not that your email address is visible in the source code. So why does it take a mad orientalist[1] to notice this? Anyone can right click the page and view source and search for keywords. The terms “confidence game” and “con man” grew out of 19th century New York City, and on the other side of the continent, people are playing the same old game.

[1] I have a diploma that says “orientalist” and I don’t have a mens sana in corpore sano right now.