Streaming live at 10am (PST)

Ability to remove new "Unsubscribe" link from mail notifications

I’m trying my best to stay professional but the way this is being handled has to be one of the biggest embarrassments I have seen in a very long time. I would be laughing if it wasn’t affecting my own business. This post has now been seen 2.6 thousand times to date and continues to grow by the day as both a PR nightmare, a stark warning to our clients who are researching webflow after their developers suggested it and an enormous security risk.

@brryant Unfortunately. it is very clear to me you have absolutely no idea what the issue is, and more importantly, that you, nor anybody else at webflow has been concerned enough about a security report to take a few minutes to reach out directly (off this forum) to any and all of us that have reported this as a security issue to understand the nature and scale of the problem and to thoroughly investigate if an issue does exist or not, as any security report should be.

@cyberdave @brryant
Here is the actual sequence of events:

  1. Paying webflow web developer that pays for your white label solution wants to make the customer contact process easy for their clients

  2. They go into the form settings and copy and paste the suggested {{ Name }} < {{ Email }} > shortcode in the form settings box so that their client who doesn’t necessarily understand can click reply when they receive a new contact form message from a website visitor in their Outlook inbox

  3. The developor enters their client’s email address (the business owner the website is for) in the send to field, so the client can receive emails privately without their business information needing to route through us.

  4. They publish the site on behalf of the client thinking they are safely basing their form’s infrastructure on a security oriented solution which is why they pay for webflow in the first place.

  5. Website visitor Dave visits the pretty website and wants to get in touch with the company using the following details

Dave Tester
Hello - I love your products, how can I buy one?

  1. Message arrives in the client’s inbox in Outlook

The client wants to respond to Dave so they quite logically click reply and send Dave an email.

  1. Dave tester was only messing around. He wasn’t really interested in the client’s products and services. He had actually discovered a hilariously embarrassing security hole in webflow that he can find any webflow-based site on the internet with a simple bot script and send spam contact form messages (it’s much more of a concern in this direction than what you guys are worried about) and then unsubscribe the client from their own website to absolutely any client that replies to them.

  2. And finally just to pour more salt in the wound afterwards Dave Tester then sends an email to the website designer asking why the unsubscribe link goes to when they are paying a lot of money for a white labelled solution.

I honestly cannot believe with all the brain power that exists here no-one at webflow can seem to comprehend, let alone fix this genuinely serious issue. Of course Dave Tester doesn’t need to be a hacker, he might just be a legitamite user that realises he didn’t want to hear about the company’s products afterall.

Until webflow get’s its act together (which I pray happens immediately now this is explicitly clear) there are a few temporary fixes:

  1. Handle all the email as an intermediary (ridiculous and non-client sensitive)
  2. Do not use the sender email address in the from field under form settings so any submitted form cannot be directly replied to (clients think this is ridiculous and in my experience frequently don’t understand how to write back or forget that they should only copy and paste part of the email - specifically when using a mobile email client). Some clients simply don’t understand copy and paste.
  3. Look at yet another 3rd party piece of software to handle basic functionality that webflow customers are already paying for such as formstack, formsite, etc.

I’m not going to waste my breath creating a wishlist item for a security suggestion as it should be instinctive but I honestly think this highlights more than ever why webflow should have a dedicated security telephone contact/private forum area exclusively for paying customers so we don’t have to advertise to the world and potentially future clients these sorts of issues.

If I’ve overlooked absolutely anything in the above process flow I truely and sincerely apologise, but my gut feel and testing suggests I haven’t.

@samliew @Revolution @pxljoy @jdesign @StuM

1 Like

@callmevlad @cyberdave @thesergie @brryant @Waldo @PixelGeek @Andrew @Brando

Hi @Mike, definitely here to help, thanks for sharing, and I’d like to clarify a few things:

he can find any webflow-based site on the internet with a simple bot script

This is not possible - there is a special token in the unsubscribe link to unsure this cannot be done by scripts, or malicious parties. You can see the token in the URL of the unsub link and try to unsubscribe yourself from another site’s form.

and then unsubscribe the client and developer from their own website to absolutely any client that replies to them.

This is also not the case. The “developer” (I’m going to assume it’s you) will never be unsubscribed from these form notifications, as they are the owner of the site. If the owner of the site is also a recipient of the form as set in the form settings of the dashboard, he/she may also be unsubscribed from the link. However important site updates (like the email we fire when a unsubscribe action is fired where you, the owner is BCC’ed) will always go through, and you won’t miss a beat.

We’re trying our best to balance following SPAM rules and catering to freelancers’ use cases. It’s a bit of a conundrum as we’re trying to unsure the highest delivery rates possible for these emails by following SPAM rules, and making sure our freelance customers that have clients are satisfied.

Just for context, since we launched this, we have had 634 unsubscribes from this link, which has improved our email delivery rate. This was the intended effect, and we apologize for not communicating how this all worked earlier on for freelance use cases.

For those that are interested in other form providers, we recomend WuFoo. They’re a reputable form provider and prices start at $19/month. (caveat: they also have the unsubscribe link at the bottom of their form notification emails)

Thanks for your reply @brryant

Firstly it’s incredibly easy to find sites built on webflow by bot script: is a white-hat example. You can even just pay them to get a list of 57,500 sites on webflow to test this on.

Secondly, I have edited my original post to remove the mention of unsubscribing the developer as although the issue does also extend to the developer if they are listed in the send to field alongside the clients, I will accept that hopefully the developer knows better than to reply to a form without deleting the unsubscribe link first. Everything else in my report I believe to be unarguably factual, so I have left it in place for others to test / report on for themselves.

To check once again that none of this is factually inaccurate I literally just set up a brand new blank site from scratch with only three changes that I would like you to replicate:
a) Insert a basic form with a name, email and message box
Go to site settings and chose:
b) Send form submissions to: (1st test email address)
c) Reply to address: {{ Name }} < {{ Email }} >

  1. Publish the site, navigate to it and type in:
    Name: Dave Test
    email: (2nd test email address)
    message: hello

  2. Open Outlook or other mail client using the client test email account and open the new message from Dave Test. Then hit reply in your mail client (which replies to Dave directly due to the form {{ Name }} < {{ Email }} > settings

  3. Check Dave’s (visitor test) email, click the unsubscribe link and sure enough you’re taken to a webflow page that says:
    Unsubscribe from (Form Test) form submission emails
    Email address: (because obviously, it’s the original tokenized link that was sent to the client!)

  4. Client is successfully unsubscribed (literally their email is removed from the form settings “send form submission settings to”) causing an automatic email to be triggered to the client and developer that the client has been unsubscribed

  5. Client no longer receives any business communication

The question is since you launched this, how many of the 634 unsubscribes actually did it themselves and how many realise they aren’t getting their business communications any longer? Can you honestly hand on heart give an answer to this question that you’re 100% sure of? It’s absolutely frightening.

Please don’t reply at all until you have physically repeated the steps I’ve just laid out so you can understand why I and others are so concerned. If you have done this already and still believe there’s no issue then I’m not sure what to say beyond the fact that webflow and its corporate culture isn’t based on the business-ready, secure, reliable, “hands-off”, developer platform I thought it was.

As to complying with spam rules, as many others have said over and over already, an industry standard double opt-in with a mention of the developer contact details in the email footer sorts out the issue entirely. Why make it so difficult?

1 Like

just wanted to add…

  • @Mike is correct about being able to access a list of Webflow websites.

I’ve got my own script that I wrote.

Okay. So my bigger question now becomes – if there are scripts/tokens in place to keep Webflow sites from being detected by bots could that be impacting SEO of all Webflow sites? There have been a a few comments about newer sites not registering for long periods of time (yes, I know a number of factors go into SEO) also I think there have been a couple reports of sites slipping in rank.

Hi @Revolution, @jdesign, @Mike, what @brryant mean’t by

This is not possible - there is a special token in the unsubscribe link to unsure this cannot be done by scripts, or malicious parties. You can see the token in the URL of the unsub link and try to unsubscribe yourself from another site’s form.

A user can find a Webflow site using a bot, just as they could find a Wordpress or Squarespace or Wix site, but if a user tries to unsubscribe from a different site form unsubscibe link, the unsubscribe would be unsuccessful as the unsubscribe tokens do not match.

I understand your point about the workflow @Mike, on the steps 1-6, I am checking that out.

@Mike @cyberdave @jdesign @Revolution
I don’t think the tokenisation is in question @cyberdave, rather how many people could fall prey to this.
On scraping, out of those 57,000~ sites maybe 10% will forget to strip it and reply with their unsubscribe link (this thread currently only has 2.6k views, so this isn’t a widely known issue) and wham, there’s 5,700~ people unsubscribed. As mentioned many times, double opt-in / notification confirmation emails would improve this.

Thanks @pxljoy, I understand, I am checking through that. Thanks for your input.

Thank you @cyberdave for taking the time to investigate and understand the issue properly.

@pxljoy is 100% accurate in their interpretation regarding tokenization and the scale of risk in the implementation’s present form.

For those reading this thread entirely for the very first time, it should be noted that when this thread was started, the initial unsubscribe script that was pushed live did unfortunately contain the raw email address in the unsubscribe URL. Thankfully that at least has been resolved by the tokenisation implementation now, but explains why the posts have varied in topic as the goal posts have steadily changed throughout this thread.

Please let us know your findings and resolutions @cyberdave after checking through.

Once this is all over, please do also consider my ideas for a private security forum area / dedicated security team contact / bug bounty or whatever is necessary, alongside a more rigorously verified release approval process. As you guys all know webflow is steadily becoming a very large player and both the current and initial releases of this unsubscribe implementation could have hurt you and your user’s reputation a lot worse than thankfully it has currently. Finger’s crossed there’s a quick fix.

1 Like

@brryant So how would a site owner be alerted if forms were not being delivered initially. You mentioned the delivery rate was improved so is there a mechanism for site owners to know when a form wasn’t delivered? If so that’s better than I get with some WP plugins.

1 Like

Any progress on this issue? Will go back to wordpress if this is not fixed soon. It is a way bigger issue than Webflow says it is.


Is there any news?
for us it would be ok if the unsubscribe was translateble and the unsubscribe would go to the websites URL not the webflow url. Because now it’s not realy whitelabeled.


1 Like

I’m very glad but extremely sad that I’ve stumbled on this issue.

White Label URL
Correct me if wrong, but does webflow not own - Maybe using this domain would be a bit more inconspicuous.

Unsubscribe Link
Adding fuel: Add a double opt-out.


1 Like

“to protect my years of investment of design, copywriting and marketing skills that can’t be replicated as easy as people think just by using a “do it yourself” website tool.”-------exactly!

1 Like

exactly! !!!

1 Like

Hi @samliew,, @cyberdave, @jdesign, @StuM, @brryant, @pxljoy, @Revolution, here is the link to a thread in the wishlist. Vote for it, so the webflow team finally recognizes how important this is (i have the feeling they are prioritizing “nice to have” things over this massive issue! Hope so badly this gets fixed asap. All the best to you so far.

1 Like

So two months later. This issue arises with a client. Is the decision by Webflow @brryant to leave this the way it is?


Yeah, can we remove this :S

Clients don’t like it, it’s a scary thought


I would also like a resolution to this issue and to hear the results of @cyberdave’s mentioned investigation. I feel there has been a vast amount of patience offered here but no reciprocating movement.

If I’m not mistaken I also thought much of the original justification for this integration was connected to non-webflow hosted sites being used for mass spamming. Seeing as forms functionality is being removed from non-hosted sites due to GDPR compliance I no longer see any justifiable need whatsoever for this link to be required (and didn’t originally had a double opt-in been used).

While I appreciate the time that put into setting up a wishlist item for this, personally I refuse to vote out of principle that a security hole and integration that disregards white-label customers should not have to be resolved by popular vote. It should have never been an issue in the beginning and should have certainly been rectified a long time ago.