Wednesday, May 19, 2010

the privacy of feedly feeds

A while ago I confronted Feedly about an apparent hole in their firefox plugin on Twitter:

They claimed they don't store credentials per-se and after further investigation I believe them, but there's still something not quite right.

See, if you install the plugin, everything appears normal:

But when you turn on Firefox's "Private Browsing" mode and click the Feedly button, you still see your feeds!

Fortunately, after a while, Feedly attempts to update your feed and displays the login screen:

So this tells me that what feedly says is probably true, they don't cache your credentials in the plugin. However, they still apparently cache content from your feeds for a little while until the next refresh period. By itself, this content cache isn't a bad thing (it's a performance optimization and saves network bandwidth) -- but the fact that their local content cache doesn't respect privacy modes in the browser is somewhat disturbing... does that mean that they cache outside the browser's model? or does that mean that firefox doesn't secure local data? Either conclusion would be troubling.

Does this actually expose private information in practice? I can't guess how you'd exploit it, but it certainly doesn't give me a warm fuzzy feeling either.


Edwin Khodabakchian said...

Hello. You are correct: once you connect to feedly, it assembles and caches some of the feedly pages for 10 minutes. If you try to access the same page within 10-minutes, no connection is needed to Google Reader to render those pages.

Currently, feedly is not aware of the incognito mode of the browser. I can talk to the team and try to weave that in but I am not sure what you would expect the feedly behavior to be: would you want feedly to automatically log out when the browser switches to incognito? What would be the benefit of that?

Larry Kyrala said...

Firefox describes one of the uses of private browsing as a way to secure your activities when on a public computer (for example at an internet cafe).

While it's doubtful someone would use a Firefox plugin like feedly in such a context, it still breaks the "privacy" assumption in switching to private browsing mode.

What I expect is that while in private browsing mode Feedly "forgets" who I am completely, then when I switch to normal mode, Feedly remembers all my settings.

This is exactly how other cookie-based services such as gmail work (try it!), so the fact that Feedly doesn't work this way is a tip-off that something isn't right.

Logging off Feedly when switching is just a user-experience hack, it doesn't fix the problem which is caching something locally without respecting the privacy mode.

Is this a problem with Firefox, or with the plugin?