Today when I opened NewsBlur I was logged out, but because the tab still had the URL of my last feed open I was still redirected to it. This feed happened to be a private GitHub feed with sensitive information of my company, so I was quite shocked that this feed is visible even to anonymous, logged-out users (verified with another browser where I have never logged into NewsBlur).
This is a *huge* privacy violation. Is this deliberate and/or documented anywhere? Granted, you still need to know the exact URL of the feed, but at the moment nobody’s stopping anybody from going through all the possible IDs and looking for sensitive feeds, or search engines from indexing my private information (why is /site not in robots.txt?)