Skip to content

Eventbrite leaking organiser personal email addresses?

One of the societies I belong to at my University is putting on an event next week, and is using Eventbrite to handle registration. They shared a link to the Eventbrite page on Facebook, and I went to register my ticket. However, something interesting happened.

eventbrite

The name and email fields were already populated, and not with my information from last time I used Eventbrite. I looked this person up on Facebook via the details provided, and found that they’re on the exec for the society, so I assume they are the one that has created the Eventbrite event. As Eventbrite only holds your ticket for a short time before returning it to the available pool if you don’t book it, I let it time out. This took me back to the event registration page, from which I proceeded to the ticket booking page again. This time however, no fields were already populated. Going tback to Facebook and clicking back to the event that way caused the details to be repopulated in the fields upon my next attempt at booking. I compared the URLs for the ticket registration page both times, and they are the same (bar orderid being different, as expected). The URL for the event page that seems to spawn the pre-filled fields has quite a bit of additional information compared to the non pre-filling one.

Pre-filled: https://www.eventbrite.co.uk/e/event-name?ref=enivte001&invite=XXX&utm_source=eb_email&utm_medium=email&utm_campaign=invitemodernv2&utm_term=attend

Not pre-filled: https://www.eventbrite.co.uk/e/event-name?err=29

The difference in URLs seems to be down to the referral path. Clearing cookies after clicking the initial link (before proceeding to the ticket booking page) does not prevent the pre-population, and indeed the details do not seem to be present in the contents of any cookies. I’m not really sure what’s going on here, but it seems that it could be a potential problem for event organisers! It’s worth noting that the email does not seem to appear elsewhere on the Eventbrite page, with Eventbrite having a method for people to event organisers to be contacted via a web form.

Published inInformation Security

Be First to Comment

Leave a Reply

Your email address will not be published.