Tell HN: Nextdns.io, a “privacy” company, leaks users' email and violates GDPR

14 points

6 years ago

Dearest HN community, I am reporting today a leakage of users' email addresses on the nextdns.io website.

When you sign up for an account, a POST request is made to a website called "intercom.io", it also sets cookies in your browser, a GDPR violation as no consent was provided. This can still be done as of the creation of this post, so you can see the violation of the GDPR for yourself.

If you study the request using dev tools, you will see the following is sent (among others):

URL: https://api-iam.intercom.io/messenger/web/ping

Data sent to their server:

user_data: {"email":"[email protected]"} - this is your email

page_title: Setup - My First Configuration - NextDNS

referer: https://my.nextdns.io/[url]/setup

When disclosing this issue, one of the founders sent me this URL:

https://www.reddit.com/r/nextdns/comments/jayc69/googleanalytics_scripts_running_on_the_homepage/

In the sticky reply, it suggests they've known about this leakage for at least a few weeks, if not longer.

Here's NextDNS privacy policy:

https://nextdns.io/privacy

"We do not (and will never) sell, license, sub-license or share any of the data submitted directly or indirectly by our users with any person or entity."

Lol. That was clearly a pack of lies then, wasn't it?

Here's intercom's privacy policy (note point 4 and who they share NextDNS users' emails with):

https://www.intercom.com/legal/privacy

That is all.

(P.S I did disclose this to them first, I did ask for a bounty, considered standard procedure for reporting such issues, and the co-founder didn't seem to understand how/why this is an issue, so I am letting the HN community decide instead).

2 comments