Seeing Someone Elses Feeds

In launching Newsblur from a bookmark, I’m being presented with someone elses feeds… The right side of the screen says "Welcome " but the left side, under “users blog” clearly lists another user. Fortunately this person seems to be a healthnut…

Should we be concerned with security?

3 Likes

What’s the URL for the bookmarklet? It probably has a secret token embedded. The only way to get that token is from a NewsBlur email forwarded from that user. Every email NewsBlur sends contains an autologin token, which makes it easier to do anything from a NewsBlur email. However, if given to another user, you have access to their account.

My bookmark points to htp://www.newsblur.com

I honestly don’t personally know anyone (in RL or online) that uses Newsblur. The feeds that I saw were 99% fitness feeds, which CLEARLY I wouldn’t be interested in. :wink:

I have always had the same issue - the properties of the bookmark show the URL to be

https://www.newsblur.com/

and I blow away all cookies at the end of the browser session, so unlikely it is a token or cookie. It’s not so much somebody else’s feeds (I don’t think) but… is there a demo page when you are not logged on? I think it may be the “try-out” page?

Yes, there is a demo account, and when you are unauthenticated, you get the demo accounts feeds. You can’t change them, as you’re not authenticated, but this setup does cause some issues.

If you want to see what the demo account looks like, just log out and hit the big “Try NewsBlur” button.

There may be a demo account (never tried it), but from the screenshot I provided in my OP, it’s clearly not it…

Okay I believe I have finally figured this out.

The required conditions seem to be due to these settings both being used: (1) Deleting cookies on browser exit (eg with the cookie self-destruct add-on) (2) Restoring tabs from previous session on browser restart (via Firefox preferences).

What happens is that when Firefox tries to restore its Newsblur tab on a new session, it picks up a feed address instead of the bookmarked address. Eg instead of the bookmarked https://www.newsblur.com/ it tries and restores a URL like: https://www.newsblur.com/site/5733916…

What happens if you hit that URL without being logged in is that you briefly seem to get the sign-in page, and then you get redirected to that feed *BUT* with the “demo” account. Which is why the OP thought they were getting somebody else’s feed.

I think the solution to that is not to service requests for specific feeds for anonymous users, but I don’t know how the demo page would work for that - maybe ask people to log in with a demo/demo username/password or something like that? Anyway, now you know what I know. And thanks again so much for running such an awesome service.

frossie… While your explanation seems to make sense (I do use CCleaner to destroy cookies), please look at the feeds in the screen capture I provided in my original post and compare it to the demo account. They’re completely different. I even had to cover over the username with blue marker to protect their identity.