Quibi has been found sending users’ emails to third party ad firms like Google, Facebook, and Twitter. When new user signup on their platform, a verification link will be sent to the user’s email address, following this, the email address is found to be shared with other companies.
Zach Edwards wrote his finding in a Medium post and he claims other popular websites like The Washington Post, Mandrill, JetBlue, etc is also doing the same.
Quibi officials said that it has fixed the issue. The company also further added that they were not aware of the same and has revealed the same to their security and engineering team.
Quibi says, “Data protection is essential to Quibi and the security of user information is of the highest priority.”
Edwards also quotes that it is unlikely that Quibi is not aware of this. In the Medium post, he also added that the emails were still being leaked as on April 26th.
Quibi is an American short-form mobile video platform available for both Android as well as iOS. It was launched just a month before and after Europe’s GDPR and California Consumer Privacy Act went into effect.
Here are the third party companies to which Quibi is found sharing users’ email addresses.
- Google’s DoubleClick.net endpoint
- Google’s updated ads endpoint @ google.com
- Google Tag Manager (and therefore potentially custom tags could fire for specific visitors/geos/URL params, thus leaking this to more companies)
- Twitter ads endpoint
- Snapchat ads endpoint & the tr.Snapchat.com subdomain
- Google Cloud infrastructure via cloudfunctions.net
- Facebook events / custom audiences for ads
- Google ads conversion pixel
- Twitter ads conversion pixel
- Google Analytics
- Facebook analytics, Google Analytics, Twitter analytics
Source: The Verge