Less than a month after launch, the mobile-only streaming platform Quibi has discovered that its email verification process for new accounts leaked data to multiple third-party advertising and analytics companies, including Facebook and Google.
The Verge reports that the mobile-only streaming platform Quibi used a process to verify new users’ email addresses that sent them to multiple third-party advertising and analytics companies including Google, Facebook, and Twitter, according to a recent investigation.
According to the investigation, when new users signed up to Quibi, they received an email with a verification link, but clicking the link added their address to the URL and then sent it in plain text to multiple other companies. Quibi was one of multiple companies called out by Zach Edwards at the digital strategy firm Victory Medium in his report.
JetBlue, Wish, and the Washington Post were also found to be leaking users’ email addresses, but Edwards focused on Quibi as the service launched less than a month ago, well after privacy rules such as Europe’s GDPR and the California Consumer Privacy Act went into effect.
In a statement to Variety, Quibi claims to have fixed the issue raised in the report and stated: “The moment the issue on our web page was revealed to our security and engineering team, we fixed it immediately. Data protection is essential to Quibi and the security of user information is of the highest priority.”
Edwards, however, believes that it is unlikely that Quibi was not aware of the issue, stating: “It’s an extremely disrespectful decision to purposefully leak all new user emails to your advertising partners, and there’s almost no way that numerous people at Quibi were not only aware of this plan, but helped to architect this user data breach. In 2020, no new technology organizations should be launching that leaks all new user-confirmed emails to advertising and analytics companies.”
Below is the full list of places that Edwards says Quibi was sending email addresses in plain text:
1) Google’s DoubleClick.net endpoint
2) Google’s updated ads endpoint @ google.com
3) Google Tag Manager (and therefore potentially custom tags could fire for specific visitors/geos/URL params, thus leaking this to more companies)
4) Twitter ads endpoint
5) Snapchat ads endpoint & the tr.Snapchat.com subdomain
6) Google Cloud infrastructure via cloudfunctions.net
7) CivicComputing.com, which redirects to https://www.civicuk.com/ and appears to be a company based in the United Kingdom.. this raises big GDPR red flags….
8) Facebook events / custom audiences for ads
9) Google ads conversion pixel
10) Twitter ads conversion pixel
11) Google Analytics
12) Facebook analytics, Google Analytics, Twitter analytics (they fire at the end of the page load again)
Read Edwards full report at Medium here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or contact via secure email at the address email@example.com