Ask HN: Am I paranoid or is Mailchimp lax about API security?

10 points

16 years ago

I'm using Mailchimp's API and found that the api key is transmitted over HTTP for many accounts. For example, the accounts that use the WordPress plugin Mailchimp distributes.

The api key gives you access to all mailing lists in that account.

I mentioned this to Mailchimp as a security concern, but their representative didn't seem worried.

I'll be using SSL, however am I being paranoid, is this just not something to lose sleep over?

For more background, here's the discussion I had with Mailchimp support: http://groups.google.com/group/mailchimp-api-discuss/browse_thread/thread/a868a0f48e309930/7886904dd01ad640

6 comments