Feeds are not private, anyone can see any feed

  • 8
  • Problem
  • Updated 5 years ago
I had sent this via e-mail some time ago, but since I got no reply, I'm re-posting this here.

I never thought about it before today, but newsblur assigns a global id to every feed added. This global id, is just an ever-increasing integer --- just look at the url bar when you have a feed selected.

This means that I can just request any id and get the feed that corresponds to it.
Try it now. For instance
https://www.newsblur.com/site/2965764/ is androidpolice, but if you increment it by one
https://www.newsblur.com/site/2965765/ it's someone else's android blog (and you can access it even without being logged in).

With a bit of scripting anyone could possibly scrape the list of every feed ever added (i'm unsure if newsblur ever unassigns an id) to newsblur.

The issue is, that some of those feeds may be private, custom views. For instance I have a feed that embeds my site-specific key and displays custom info just for me from that website, and anyone can see that feed, even without an account, as long as they guess the number (or just scan all of them).

While that site is rather unimportant to me, I can imagine that some people might have more important or private information as their feeds, not realizing that they are public -- it might be their private calendar feed, their strange midget tentacle feed, bank account transactions feed, etc.

I for one, was assuming before today that my feeds were only visible to the newsblur staff and myself, which I thought as a reasonable tradeoff for the service -- I was clearly mistaken, but I'm worried that other people may be exposing sensitive important information in this way, while being under the same assumption that I was.

I think this issue could be solved by having the ID of a feed be a UUID, or for instance the md5/sha1 of the feed url -- of course this externally visible id could then be mapped to the internal, current one. This way, the search space would not be continuous, and it would take a lot of obvious hammering to crawl for feeds.

Another possible solution would be to allow users to mark feeds as private when adding them -- and then only allowing the users which explicitly added the feed with the private flag to access it. I think this would be a bit more cumbersome, as the previous solution takes care of everything without the users ever having to do anything themselves, for all current feeds.

Finally, there's also a bit of a band-aid solution, which would be for example disallowing direct access to feeds that only have 0 or 1 user. That would solve the case for my feed, because I know I'm the only one that uses it, although it would not work in cases where two or three people (maybe a family) share a private feed.

If all else fails, I think the add dialog should at least point out that ALL added feeds become public. At least this way, people would know from now on what to expect, but it does leave open the window for current users to be exploited.

If you read this far, thanks for your time. I sincerely hope you consider this issue, and I'm willing to help if needed, as I think this is a rather important problem to tackle. Also thanks for newsblur -- I'm still a free leecher, but greatly appreciate the service.
Photo of ianjo

ianjo

  • 7 Posts
  • 4 Reply Likes
  • sad

Posted 5 years ago

  • 8
Photo of ChrisFaction

ChrisFaction

  • 53 Posts
  • 4 Reply Likes
Thanks for pointing this out.
I think this IS a security and privacy problem that should be solved.

I hope Samuel is comming up with a solution.

Chris
Photo of RethorykeEpicaridan

RethorykeEpicaridan

  • 30 Posts
  • 14 Reply Likes
Those feeds are public long before Newsblur, or any feed reader, has anything to do with it.

RSS/Atom is about broadcasting news from a point source, and has little consideration for authentication. See this StackOverflow question from 2009 to get a feel for the state of the efforts in that direction: http://stackoverflow.com/questions/92...

You can _not_ rely on a long pseudo-random URL to keep a feed private.

I'm not aware of any successors to RSS/Atom that provide a standard authentication mechanism, nor of a massive outcry for one.

(Maybe offtopic, but the recent foofaraw over YouTube removing the personalised Subscription feed is probably related; any user's subscription feed is (was?) publicly available.)
Photo of ChrisFaction

ChrisFaction

  • 53 Posts
  • 4 Reply Likes
Hi RethorykeEpicaridan
and thanks for sharing your thoughts.

I agree that the primary intended use is to collect news rss feeds that are public any way.
BUT that's not the whole story. There are rss feeds that contain unique identifiers that are intended to be used only be certain persons.
As an example: Some here use Yahoo Pipes to filter rss feeds and yahoo generates a unique ID for this feed. There are scripts and webapplications that generate rss feeds from other content. Not all of those feeds are intended for public access.

If Samuel doesn't want to put effort in removing this problem then AT LEAST all users should know about the fact.
So IMHO there should be a prominent "WARNING: don't use private feed URLs - everyone can see them" for the users.
Photo of pxlmsc

pxlmsc

  • 45 Posts
  • 1 Reply Like
I see it the same way.

I'd like very much to see ever-increasing integers replaced by UUIDs. I suppose that'd be enough to prevent easy collection/scraping of data (data which, while not strictly "sensible" or "private", were not meant for public consumption)
Photo of John Morahan

John Morahan

  • 86 Posts
  • 27 Reply Likes
Another obvious example is GitHub's commit log feeds for private repositories.

Feeds with less than a certain number of subscribers (10, I think), and feeds with keywords in the URL that suggest private tokens, are already excluded from the search. So it would appear that Samuel does accept that some feeds should be considered private - I guess he just missed this particular method of discovering them?
Photo of ChrisFaction

ChrisFaction

  • 53 Posts
  • 4 Reply Likes
@Samuel: I assume you are very busy at the moment
but hope you will find time for a short reply about your opinion on this

thanks
chris