I was planning on renewing my premium subscription when I received a notification email from Newsblur with this link.

http://www.newsblur.com/reader/autolo… hash]?next=renew

This is troubling for a number of reasons.

1.) Password security is nearly useless, A single link grants anyone access to my account.

2.) This link defaults to http, an insecure connection. As well as allowing the DNS provider or anyone sniffing traffic to view the url and gain access.

3.) This link was delivered over email, an insecure channel. (Newsblur’s email host does seem to support STARTTLS, but it isn’t good practice to send sensitive information this way).

I’ve enjoyed Newsblur during the past year but this is unacceptable, especially for paying customers.

Please correct me if any of my statements are misleading or innacurate, I was not able to find documentation about this “feature”.

You are correct that you are able to login with a link in the email, but this is no different than recovering your password over email. Once an attacker has access to email, they have access to your account. I only simplified the login process, but they could just as easily use Forgot Password and gain access.