Privacy alert: Twitter disclosed email addresses when people sent DMs (UPDATED)

UPDATE, 3 p.m. Pacific time: Twitter appears to have fixed the bug, and DMs from before June 11 do not appear to be affected.  But anybody you sent a DM to between June 11 and June 18 now has the email address you’re using on your Twitter account.

FYI – when you send a DM, the receiver CAN SEE YOUR EMAIL ADDRESS from the DM sent via email. BE AWARE!!! @twitter #security #fail

– ChicagoBungalow about 18 hours ago on Twitter

For those who aren’t on Twitter, a DM is a “direct message”, twitterspeak for a private message between two people.  When you receive a DM, Twitter notifies you via email.  And sure enough, just as ChicagoBungalow said, if I send you a DM, if you look at the email header information, you’ll see that the “Sender” field has an address like

twitter-dm-jon_pincus=yahoo.com@postmaster.twitter.com

This field is hidden by default — in gmail, you need to select “Show original” to see it — but once you find it, it doesn’t take a rocket scientist to figure out what yahoo.com account name I used to sign up on Twitter.

If I want somebody to have my email address, I’ll send it to them.  I don’t want Twitter giving it out for me. And most especially, I don’t want Twitter doing it behind my back.

jon

PS: I updated this post several times to clarify the description; thanks to all for the feedback, and @NiteStar for the gmail instructions.

Tags: , , ,

15 Responses to “Privacy alert: Twitter disclosed email addresses when people sent DMs (UPDATED)”

  1. OK, I don’t really see this as being much of a problem (other than the fact that you put your own e-mail info in here…).

    Here’s the thing. Twitter is sending YOU this DM because you’ve received a DM. It’s NOT sending the e-mail address or including the e-mail address of the person who’s sending you the DM.

    So the only way for someone to garner your e-mail address from this e-mail would be if you were to forward the e-mail, unedited, with headers and all, to someone else. THEN, they would have your e-mail. Of course, if you’re forwarding the e-mail to someone in the first place, they’ll get your e-mail anyway.

    So I don’t really see this as being much of a problem.

    And for the record, I checked a bunch of these DM-notification e-mails that Twitter has sent to me (I’ve gotten quite a few) and the ONLY e-mail that I’ve ever seen in them is MY OWN, which is fine with me, because I gave it to Twitter in the first place.

    @NiteStar

    • JonPincus says:

      Thanks for the feedback, Peter. My description of the problem in the main post was kind of confusing, and so I’ve rewritten it to clarify. There are two different fields in the mail header: “From” and “Sender”. When somebody sends me a DM, their email address is in the Sender field. Maybe you’re not seeing this in the DM’s you’ve gotten, but I certainly am.

  2. omjane says:

    Could you provide a screen capture… Im not seeing it. In both the From and Sender, Im seeing my own email… and I dont DM myself.

  3. No, I see it now. However, as I’ve tweeted, the “SENDER” field is only displayed when I ask GMail to show the original e-mail (which is does as plain-text and shows ALL header information). Even clicking on “show details” in Gmail doesn’t display the “SENDER” field.

    I would presume that most other webmail applications also behave in a similar fashion. I just created some test accounts using some of my lesser-used e-mail addresses.

    In Yahoo Mail, one has to select “Full Header” from a drop-down list. Like Gmail, this option is not available by default and one must manually select it for each message.

    The same is true of my ISP’s webmail service.

    I haven’t used a stand-alone e-mail application (Thunderbird would be my choice) in ages, so I’m not certain if one can choose having all/full header information displayed as a default.

    While this is a potential security risk, there are two additional thoughts that I have:

    1) Don’t DM anyone you don’t trust.

    2) Before you brought this to light, I wonder how many people knew that this information was available in the e-mails that Twitter sends when notifying you of a DM from someone (not that it’s an excuse and not that it doesn’t need to be fixed).

    Also, given the history of the “SENDER” field in e-mails and its intended purpose (I remember the days when I would manually combat SPAM, when it was actually possible to do so, by forwarding e-mails to the postmaster of a domain, and having to research the “SENDER” field as opposed to the “FROM” field…ugh).

    In other words, the “SENDER” field isn’t well-known, and it’s mostly something that people who are highly technical would know about, and only those such individuals would think to even look there.

    So while it IS a privacy issue, I don’t see it as a huge one. But, it should be resolved/fixed by Twitter. :)

  4. Kara Harkins says:

    Actually, showing the full header is quite common among security folks and techies. Akin to the fact that my default setting for email clients is to show me the message as raw text.

  5. Kevin says:

    I am looking at a DM sent to me from the First Lady of Gadg Suzi Perry no less.

    Now while i dont particularly want to extract her email address from the email Twitter sent, i thought id see what you guys are talking about (for when i send DM’s).

    I have selected “Show Original” from gmails menu, and looking through every single one of the Email addresses in there are my own. and there’s about 10 of them.

    Either this has been fix, or was never broken

  6. Kevin says:

    While what i said above is correct for the DM’s recieved up until 28 May, one i received today did contain the senders address. So this is something that they added!

    • JonPincus says:

      Good detective work, Kevin! Looking at thel DMs in my email, it seems like the functionality got changed sometime on June 11. Is that what others are seeing?

      .

  7. Don Gilmore says:

    I just checked several received direct messages dated 6/12, 6/13, 6/16. No problem. No leakage of the sender’s email.

    • Don Gilmore says:

      OK, verified leak. In gmail, must choose “show original” from hidden drop-down menu right of “reply” button.

  8. Don Gilmore says:

    No problem here. I have now gone through about 20 received direct messages starting early May and ending today. No leakage here. Dates include 5/6, 5/16, 5/22, 5/26, 5/27, 5/28, 5/29, 6/8, 6/12, 6/13, 6/16.

    • JonPincus says:

      Thanks for the feedback, Dan … interesting. Are you seeing your own address in the “Sender” header field? Or is the field absent?

      jon

    • Don Gilmore says:

      Repeat: OK, verified leak. In gmail, must choose “show original” from hidden drop-down menu right of “reply” button.

  9. Greg P. says:

    In hotmail, I didn’t have to select anything – it was showing the sender’s header when I opened the mail. As noted, that is no longer the case this afternoon.

    I checked back to June 13th and was still seeing the sender’s email. Then I ran out of trashed DMs.

    I don’t know what the connection would be, but the so called Twitpocolypse was on June 12th. While that was mostly an issue with 3rd party apps… maybe there was some fiddling with code in the runup?

  10. [...] View post:  Privacy alert: Twitter disclosed email addresses when people sent … [...]

Leave a Reply