Support » Plugin: SendinBlue Subscribe Form And WP SMTP » Beware. They track password emails.

  • While using the SendinBlue SMTP feature, they change all email links to pass over their servers… including emails related with password, like the common email after registering, which gives a link to set a new password.

    If an admin user asks to reset password, for example, this plugin will have access to the URL which will allow them to change the admin password.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author SendinBlue

    (@neeraj_slit)

    Hey Bruno — I can certainly appreciate your concern for security involving SMTP emails. Responding to your comment above, while Sendinblue uses redirect links in our SMTP emails that enable our users to track email engagement, we do not store the final URL on our servers. This is standard practice for all email marketing providers.

    To give you a bit more detail: the redirect URL is set up to ping our servers when a recipient clicks on this link so that we can inform our user that someone clicked their email link. After, the clicker is redirected to the proper final URL, which is encrypted in the original redirect link and decrypted during the redirect process to send the clicker to the proper final destination.

    First, thanks for the answer.

    I understand how tracking in email marketing service works, but I can’t agree with that. As you said, it’s not stored on your servers, but once user clicks on the URL it will go first to your server, and only then to the proper website.

    There is simply no reason to do any kind of track in URLs that should be completely private. A simple rule to avoid any URL related to password would fix that.

    At minimum, your plugin should let users know that when using the SMTP feature, administrative links with private information will pass through SendinBlue servers.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this review.