Feeds are not private, anyone can see any feed

  • 8
  • Problem
  • Updated 5 years ago
I had sent this via e-mail some time ago, but since I got no reply, I'm re-posting this here.

I never thought about it before today, but newsblur assigns a global id to every feed added. This global id, is just an ever-increasing integer --- just look at the url bar when you have a feed selected.

This means that I can just request any id and get the feed that corresponds to it.
Try it now. For instance
https://www.newsblur.com/site/2965764/ is androidpolice, but if you increment it by one
https://www.newsblur.com/site/2965765/ it's someone else's android blog (and you can access it even without being logged in).

With a bit of scripting anyone could possibly scrape the list of every feed ever added (i'm unsure if newsblur ever unassigns an id) to newsblur.

The issue is, that some of those feeds may be private, custom views. For instance I have a feed that embeds my site-specific key and displays custom info just for me from that website, and anyone can see that feed, even without an account, as long as they guess the number (or just scan all of them).

While that site is rather unimportant to me, I can imagine that some people might have more important or private information as their feeds, not realizing that they are public -- it might be their private calendar feed, their strange midget tentacle feed, bank account transactions feed, etc.

I for one, was assuming before today that my feeds were only visible to the newsblur staff and myself, which I thought as a reasonable tradeoff for the service -- I was clearly mistaken, but I'm worried that other people may be exposing sensitive important information in this way, while being under the same assumption that I was.

I think this issue could be solved by having the ID of a feed be a UUID, or for instance the md5/sha1 of the feed url -- of course this externally visible id could then be mapped to the internal, current one. This way, the search space would not be continuous, and it would take a lot of obvious hammering to crawl for feeds.

Another possible solution would be to allow users to mark feeds as private when adding them -- and then only allowing the users which explicitly added the feed with the private flag to access it. I think this would be a bit more cumbersome, as the previous solution takes care of everything without the users ever having to do anything themselves, for all current feeds.

Finally, there's also a bit of a band-aid solution, which would be for example disallowing direct access to feeds that only have 0 or 1 user. That would solve the case for my feed, because I know I'm the only one that uses it, although it would not work in cases where two or three people (maybe a family) share a private feed.

If all else fails, I think the add dialog should at least point out that ALL added feeds become public. At least this way, people would know from now on what to expect, but it does leave open the window for current users to be exploited.

If you read this far, thanks for your time. I sincerely hope you consider this issue, and I'm willing to help if needed, as I think this is a rather important problem to tackle. Also thanks for newsblur -- I'm still a free leecher, but greatly appreciate the service.
Photo of ianjo

ianjo

  • 7 Posts
  • 4 Reply Likes
  • sad

Posted 5 years ago

  • 8
Photo of John Morahan

John Morahan

  • 86 Posts
  • 27 Reply Likes
Another obvious example is GitHub's commit log feeds for private repositories.

Feeds with less than a certain number of subscribers (10, I think), and feeds with keywords in the URL that suggest private tokens, are already excluded from the search. So it would appear that Samuel does accept that some feeds should be considered private - I guess he just missed this particular method of discovering them?