Private feeds are public for everyone to see


#1

Today when I opened NewsBlur I was logged out, but because the tab still had the URL of my last feed open I was still redirected to it. This feed happened to be a private GitHub feed with sensitive information of my company, so I was quite shocked that this feed is visible even to anonymous, logged-out users (verified with another browser where I have never logged into NewsBlur).

This is a *huge* privacy violation. Is this deliberate and/or documented anywhere? Granted, you still need to know the exact URL of the feed, but at the moment nobody’s stopping anybody from going through all the possible IDs and looking for sensitive feeds, or search engines from indexing my private information (why is /site not in robots.txt?)


#2

You’re not alone. Samuel responded in this thread, but the problem still hasn’t been fixed.


#3

I think you linked the wrong thread, or at least I can’t see what the sharing bookmarklet has to do with this problem :wink:


#4

Is there such a thing as a private feed? It looks like everything gets an ID the first time someone subscribes to it and then its publicly accessible? I’ve not seen anything anywhere that suggests things are private?


#5

Why should I assume that a feed I add to my own, private account will be made accessible to anyone else?


#6

Samuel, any answer on this? I would be very surprised and disappointed if this is intentional.


#7

There appear to be mechanisms in place that keep feeds somewhat private:

What I could so far not figure out is how to know whether these mechanisms work for a feed I am adding or that I already added, i.e. how to know who a feed is visible to.


#8

Devurandom, you don’t need to post this on every thread. Anyway, as I’ve mentioned elsewhere, feeds where you are the only subscriber are not public and will not show up in search results.