I was planning on renewing my premium subscription when I received a notification email from Newsblur with this link.
http://www.newsblur.com/reader/autolo… hash]?next=renew
This is troubling for a number of reasons.
1.) Password security is nearly useless, A single link grants anyone access to my account.
2.) This link defaults to http, an insecure connection. As well as allowing the DNS provider or anyone sniffing traffic to view the url and gain access.
3.) This link was delivered over email, an insecure channel. (Newsblur’s email host does seem to support STARTTLS, but it isn’t good practice to send sensitive information this way).
I’ve enjoyed Newsblur during the past year but this is unacceptable, especially for paying customers.
Please correct me if any of my statements are misleading or innacurate, I was not able to find documentation about this “feature”.