Ability to remove new "Unsubscribe" link from mail notifications

Okay. So my bigger question now becomes – if there are scripts/tokens in place to keep Webflow sites from being detected by bots could that be impacting SEO of all Webflow sites? There have been a a few comments about newer sites not registering for long periods of time (yes, I know a number of factors go into SEO) also I think there have been a couple reports of sites slipping in rank.

Hi @Revolution, @jdesign, @Mike, what @brryant mean’t by

This is not possible - there is a special token in the unsubscribe link to unsure this cannot be done by scripts, or malicious parties. You can see the token in the URL of the unsub link and try to unsubscribe yourself from another site’s form.

A user can find a Webflow site using a bot, just as they could find a Wordpress or Squarespace or Wix site, but if a user tries to unsubscribe from a different site form unsubscibe link, the unsubscribe would be unsuccessful as the unsubscribe tokens do not match.

I understand your point about the workflow @Mike, on the steps 1-6, I am checking that out.

@Mike @cyberdave @jdesign @Revolution
I don’t think the tokenisation is in question @cyberdave, rather how many people could fall prey to this.
On scraping, out of those 57,000~ sites maybe 10% will forget to strip it and reply with their unsubscribe link (this thread currently only has 2.6k views, so this isn’t a widely known issue) and wham, there’s 5,700~ people unsubscribed. As mentioned many times, double opt-in / notification confirmation emails would improve this.

Thanks @pxljoy, I understand, I am checking through that. Thanks for your input.

Thank you @cyberdave for taking the time to investigate and understand the issue properly.

@pxljoy is 100% accurate in their interpretation regarding tokenization and the scale of risk in the implementation’s present form.

For those reading this thread entirely for the very first time, it should be noted that when this thread was started, the initial unsubscribe script that was pushed live did unfortunately contain the raw email address in the unsubscribe URL. Thankfully that at least has been resolved by the tokenisation implementation now, but explains why the posts have varied in topic as the goal posts have steadily changed throughout this thread.

Please let us know your findings and resolutions @cyberdave after checking through.

Once this is all over, please do also consider my ideas for a private security forum area / dedicated security team contact / bug bounty or whatever is necessary, alongside a more rigorously verified release approval process. As you guys all know webflow is steadily becoming a very large player and both the current and initial releases of this unsubscribe implementation could have hurt you and your user’s reputation a lot worse than thankfully it has currently. Finger’s crossed there’s a quick fix.

1 Like

@brryant So how would a site owner be alerted if forms were not being delivered initially. You mentioned the delivery rate was improved so is there a mechanism for site owners to know when a form wasn’t delivered? If so that’s better than I get with some WP plugins.

1 Like

Any progress on this issue? Will go back to wordpress if this is not fixed soon. It is a way bigger issue than Webflow says it is.

3 Likes

Is there any news?
for us it would be ok if the unsubscribe was translateble and the unsubscribe would go to the websites URL not the webflow url. Because now it’s not realy whitelabeled.

Thx!

1 Like

I’m very glad but extremely sad that I’ve stumbled on this issue.

White Label URL
Correct me if wrong, but does webflow not own webforms.io? - Maybe using this domain would be a bit more inconspicuous.

Unsubscribe Link
Adding fuel: Add a double opt-out.

:no_good_man:t5:

1 Like

“to protect my years of investment of design, copywriting and marketing skills that can’t be replicated as easy as people think just by using a “do it yourself” website tool.”-------exactly!

1 Like

exactly! !!!

1 Like

Hi @samliew, @derrick.dk, @cyberdave, @jdesign, @StuM, @brryant, @pxljoy, @Revolution, here is the link to a thread in the wishlist. Vote for it, so the webflow team finally recognizes how important this is (i have the feeling they are prioritizing “nice to have” things over this massive issue! Hope so badly this gets fixed asap. All the best to you so far.

1 Like

So two months later. This issue arises with a client. Is the decision by Webflow @brryant to leave this the way it is?

2 Likes

Yeah, can we remove this :S

Clients don’t like it, it’s a scary thought

2 Likes

I would also like a resolution to this issue and to hear the results of @cyberdave’s mentioned investigation. I feel there has been a vast amount of patience offered here but no reciprocating movement.

If I’m not mistaken I also thought much of the original justification for this integration was connected to non-webflow hosted sites being used for mass spamming. Seeing as forms functionality is being removed from non-hosted sites due to GDPR compliance I no longer see any justifiable need whatsoever for this link to be required (and didn’t originally had a double opt-in been used).

While I appreciate the time that @derrick.dk put into setting up a wishlist item for this, personally I refuse to vote out of principle that a security hole and integration that disregards white-label customers should not have to be resolved by popular vote. It should have never been an issue in the beginning and should have certainly been rectified a long time ago.

5 Likes

Late to find out about this as well. How has this not been, at the very least, redirected to webforms.io yet?!

Does it seem like a big issue? :man_shrugging:

I’ve got a client who just got unsubscribed from their own form notifications.

The kicker is that adding her email address back onto the form notifications is having no effect.

This needs to be addressed.

@callmevlad

This was what I was worried about all along, but no heed was taken :cry:

@Cricitem @samliew Yep, precisely why we raised it over 9 months ago. I have to check my clients settings every week to ensure they are not unsubscribed. Clients who also pay for things like Adwords would be infuriated to suddenly be losing those leads. And thats just the tip of the iceberg!