For those of you who are wondering what my recent Google Reader shared item comment was all about, here you go. I’ve explained it over IM twice, and I think it deserves a proper blog post:
We all like having RSS-feeds for everything, right? That way we can catch up with the world in one place.
So Facebook have RSS feeds for friends’ status updates, notes, and shared posts. These feeds look something like http://www.facebook.com/feeds/friends_status.php?id=530720481&key=0dead0beef&format=rss20
. And all the feeds have the same key.
Yes, we’d rather they used HTTP-Digest password authentication, but not many RSS readers support that, and you’d never give anyone that feed url, right?
Well, no. If I read something cool in one of these Facebook-feeds in Google Reader and I share it with my Google Reader friends, they’ll all get the full feed URL. Now they can read all my friends’ status updates, notes, and shared items.
One of my Facebook friends might be paranoid, and writing about very personal stuff on Facebook. As a Facebook user, he could have set his privacy settings so that only his friends can read his notes. However, now all my Google Reader friends can too.
In this case, this isn’t a big problem, because there’s very little interesting content on Facebook, and hopefully no trade secrets. Obviously these problems apply to services besides Facebook and Google Reader, but these are good examples. Also a friend of mine shared his key recently ;-)
But it gets worse, Google Reader has a feed directory and feed discover page. Searching it reveals lots of such ID, key combinations. And generally Googling reveals 30-odd such pairs that have leaked onto the general Internet.
So. If you are implementing RSS feeds with private data in them, please don’t use an in-URL key. Rather submit patches to all your favourite feed-readers adding support for HTTP-authentication (and in the case of Google Reader, maybe don’t use it for private feeds).