Warning for all G-Mail users who use the RSS feed feature via Bloglines.
I just got a bit of a shock when I checked a search feed at Bloglines to find a headline that looked very familiar. In fact it was familiar because I’d written it myself.
This might not be too unusual really – I often see my blog posts in Bloglines – the difference here was that this was not the headline of a post I’d written – rather it was the headline of an email I’d sent – my ProBlogger Newsletter (click screen cap for enlargement).
I thought this was a rather odd thing – an email that I’d sent to a select few people (those who have signed up for my weekly recap of blogging here at ProBlogger) came up in a bloglines search result – for all to see. How could this be so?
At first I thought that one of my subscribers had republished my email on their blog.
But further investigation revealed that the ‘source blog’ was a G-Mail Inbox for one of my readers.
I’d heard that Google’s G-Mail allowed users to follow their email via RSS – but didn’t realize that this made the subject line and first line of the email accessible by the public if that user checks their email via RSS at Bloglines.
This is a little worrying – every time I send an email to a G-Mail account now I’ll be looking at my subject and first line slightly differently because it could just be read by any Bloglines user who happens to have a search feed for any of the words you use.
So – the take home lesson here is twofold:
Firstly for G-Mail users – don’t use Bloglines to check your G-Mail RSS feeds – once you add it to your list of feeds to check it becomes checkable not only by you but potentially by anyone. Once someone discovers your RSS feed on Bloglines they have access to every email you get via G-Mail (or at least the first line of it). This could be VERY damaging to you – depending upon the type of email that you get.
Secondly for those sending email to G-Mail accounts – be careful what you write in your subject and first line – especially if it uses the word ‘ProBlogger’ – because that is one of my search feeds on Bloglines!
Update: I’ll add to this post that I’m not completely familiar with G-Mail’s RSS feed capabilities and perhaps I haven’t reported this technically correct – it could be that the G-Mail feeds (I’ve seen three now) that I’ve seen are not being used by their users correctly – but the fact remains that I’m seeing people’s G-Mail inboxes in Bloglines – and this should be ringing warnings bells in many people’s ears right now.
Update: Others (who know more about this) have followed this story up at:
– Do not use the Atom Gmail service with online aggregators like Bloglines
– Darren worried about Gmail leakage through RSS and Bloglines
Update II – I’m not the first person to notice this – Randy posts this back in November.
[…] with the relevant email address you want the invite sent to. You might want to read this post by Darren Rowse first.
Filed under: PR […]
oh my God – I just found my Gmail account publicly listed on Bloglines too. How do I delete it? I have personal stuff on it!!!!
I imagine if you read your Gmail account via a subscription that you designate as private then there would be no publication of the RSS feed. However it looks a bit dodgy to me nevertheless.
BTW Darren, thanks for working around Spam Karma for me. Peace.
Ooh, that’s nasty. Thanks for the heads up.
I’m not quite sure why this should be a surprise. It’s an RSS feed to an inbox. Bloglines is a public aggregator. Users of Basecamp and other products face similar issues. It’s generally not a good idea to use a public aggregator to read private feeds.
I didn’t even know that my Gmail account offered an RSS feed…..
You can set individual feeds to be ‘private’ even if the rest of your feeds are public. Alternatively, I presume you could set up two bloglines accounts, or use a different aggregator for that – then again if you are online (which you must be to get RSS updates) why not just check your mail in the usual fashion? Or am I missing something here…?
Hello,
I’m surprised to read your post today. I just posted something regarding this subject:
http://radio.weblogs.com/0140770/2005/05/14.html#a137
I done some tests and if you are right, GMail only create a SSL channel… no authentication. What this mean? It means that the feed is encrypted for his transmission but anyone have access to it. The situation is strange but it look likes it. I tested bloglines on a feed using SSL, you can get it. I tested bloglines with a feed using HTTP Auth, he can’t get the feed. I can’t push my tests farthest because I do not have any GMail account but the problem seem real.
So, thank for this post, it put light on some of my interrogations.
Salutations,
Fred
Hello,
I talked too fast, you can have access to a SSL page with HTTP Auth on bloglines by using this trick:
https://USERNAME:[email protected]/feed/rss/
Sorry,
Salutations,
Fred
Do not use the Atom Gmail service with online aggregators like Bloglines
Do not use the Atom Gmail service with online aggregators like Bloglines There is a real security threat
I have a gmail account. I didn’t realize I had an atom feed. As far as I can tell, the gmail account holder has to provide a user/pass combo via to access their feed. I can only assume that users who are reading their inboxes via bloglines have set it up to automatically connect with their user/pass combo. I am not a bloglines user so this only speculation. Not that swift on those account holders parts for setting those feeds up in bloglines. It doesn’t just affect them, but the users who email them.
[…] ten – rather it was the headline of an email I’d sent – my ProBlogger Newsletter.” ProBlogger I just post on Gm […]
! Rss Gmail
“Warning about Checking G-Mail RSS on Bloglines” , rss- . rss-, Bloglines, Gmail…
You can also find more info on this at this website….
http://www.kbcafe.com/iBLOGthere4iM/?guid=20041117223055
By the way, with the above example I was able to get the user name and password of the above accounts and enter the users gmail accounts.
On Bloglines security: Preview Feed is evil also
Bloglines can be a tremendous helpful service, but there are many (esp. security) downsides not visible to the common user.
to fred,
your testing may be valuable if you continue with it with a gmail a/c.
i can send you a gmail invitation if you can send me a email to [email protected]
thanks
[…] a nella vita quotidiana 16/5/2005 Gmail, Bloglines e i feed RSS Un articolo di Darren Rowse sta creando qualche scompiglio in giro […]
[…] ff Photos of Brown Recluse Spider Bite. The future of Google, Apple, and Microsoft. Warning about Checking G-Mail RSS on Bloglines. Dom […]
Hello
Hello alll and welcome to IluvNUFC’s round up of the best of the net this week. Sorry I was’nt here yeaterday but I was attending wor kid’s(mmChronic) wedding with Dogs. Not sure where the rest of the guys were though. Anyway lets start with some Star
Organising Online Partnerships
I found your blog on google and read a few of your other posts. Very nice read.
Be reminded to continue to build back links for traffic and seo.
Darren.