Using Bloglines to snoop on people's private Gmail

 by Martin Belam, 1 October 2006

I was astonished on Friday when I was looking at my Gmail account inbox, and accidently hit the 'Subscribe with Bloglines' bookmarklet on my Firefox links toolbar. Bloglines then dutifully put up on the screen a whole series of Atom feeds of other people's Gmail accounts that I could subscribe too.

Gmail feeds in Bloglines

At first, because all of the Atom feeds had been sent through FeedBurner, and the content seemed so spammy, I wondered if it might not have been set up to entice people to subscribe to the feeds as a way of getting more eyeballs on spam email. However, a couple of the feeds seemed to contain genuine personal email, and frankly, such a high percentage of email traffic is spam that if you monitored any email address I'm sure the ratio of spammy mail would look quite high.

Whilst you are not able to go straight from the feed to look at the complete email, once subscribed you can read the subject and the first line of any email sent to these addresses. That can be enough though, especially once a thread starts. For example I know one of these people left their job last week.

This person has just left their job

In another email, you nearly get hold of someone's user ID and password for a website, further prove that Dave Cross is right when complaining about the poor handling of password data by a lot of online applications. In this case there just are not enough characters in the snippet to reveal the password - but only just.

User ID and password

I think that is where the privacy issue gets a bit scarier and, for me, more controversial. The people sending emails to these addresses have no control over whether the recipient has made their Gmail feed public via an aggregator like Bloglines or not. There is the potential that in the opening line or subject of an email that they think is a secure private one-to-one conversation they could give out very personal details, or defame someone, and end up with their private communication plastered all over the web.

The fault I guess lies with both Google and Bloglines. Google clearly need to more to educate their Gmail Atom users about the potential privacy implications of making their email available in a syndication format. They do have an FAQ answer that warns you that if you do not set the feed to private in your aggregator, you are revealing your email to the world.

Are my Google Mail RSS feeds publicly accessible?
Many aggregator services mark your profile and feeds as public by default, making the subjects and snippets of your Google Mail messages searchable. Even though other users can view the subjects and snippets, the entire content of your messages is not accessible.
If you want to make sure that your Google Mail feeds are not searchable, we suggest setting your profile and feeds as private.

However, that warning isn't given in the main FAQ entry about setting the feed up, even though Google take the time to warn you that the feed will not appear until you have some unread mail in the feed.

How do I view Google Mail messages with my aggregator?
You can view Google Mail messages in your aggregator by subscribing to a new channel. Enter https://mail.google.com/mail/feed/atom in the 'URL' field, then submit your Google Mail address and password.
Please keep in mind that Google Mail messages will not appear in your aggregator unless there are unread messages in your inbox.
Google Mail FAQ

And Bloglines could do something to restrict the display of feeds with the telltale sign of contaning content from Gmail, so that if you know your own Gmail Atom address you can subscribe to it, but that you can't fish for other people's mail using Bloglines anymore.

6 Comments

Hmm, I'd say that it's more of Google's fault than Bloglines. Bloglines can't after all be expected to detect and place warnings on all the various kinds of potentially private news feeds (why give Gmail special treatment). Besides, there are potentially cases where uses might WANT to make a Gmail feed publically available (difficult to think of examples though, other than perhaps as part of some Alternative Reality Game).

Ultimately, having 'private' RSS feeds via a unique and non-easily guessable URI is just an example of trying to do 'security through obscurity', and is doomed to failure. To really do private feed syndication, you either need to use simple HTTP authentication (which Bloglines doesn't support) or invent some new format...

As all these GMail feeds have been put through Feedburner or some similar service (you can also access them by clicking on the green feedburner.com links), then the blame lies at the feet of Feedburner (by not password-protecting feeds that are read from password-protected sources), or the user themselves (for running a private feed through a public RSS provider, then publicly subscribing to it in Bloglines).

I would tend to think that Google, Bloglines and Feedburner *all* need to look at either the way they have their system set up, or the advice that they are giving to their users at the point where the users are causing/allowing this to happen.

Of the feeds you can see via Bloglines, a couple of them are not being made available via Feedburner, although all of the ones in my screenshot were

This is the fault of the education system and its lack of informing the public not to do foolish things in life.

I never knew...this could actually be dangerous. Both Google and bloglines ought to step up and take care of things by fixing this. Has anything been done to fix this?

Hi Brook, yes Google and Bloglines both acted quickly to fix this - I had emails from people at both companies within a couple of days of the original post saying that they had closed this particular privacy loophole.

Keep up to date on my new blog