A while ago I confronted Feedly about an apparent hole in their firefox plugin on Twitter:
They claimed they don't store credentials per-se and after further investigation I believe them, but there's still something not quite right.
See, if you install the plugin, everything appears normal:
But when you turn on Firefox's "Private Browsing" mode and click the Feedly button, you still see your feeds!
Fortunately, after a while, Feedly attempts to update your feed and displays the login screen:
So this tells me that what feedly says is probably true, they don't cache your credentials in the plugin. However, they still apparently cache content from your feeds for a little while until the next refresh period. By itself, this content cache isn't a bad thing (it's a performance optimization and saves network bandwidth) -- but the fact that their local content cache doesn't respect privacy modes in the browser is somewhat disturbing... does that mean that they cache outside the browser's model? or does that mean that firefox doesn't secure local data? Either conclusion would be troubling.
Does this actually expose private information in practice? I can't guess how you'd exploit it, but it certainly doesn't give me a warm fuzzy feeling either.
BABY DRIVER: Edgar Eggs!
3 months ago