Hint: Don’t Reveal Your Gmail RSS Feed
Okay, this should be a no-brainer, but just because Gmail offers RSS feeds doesn’t mean you should offer them to the public. A number of people have done just that, sending their Gmail off to Feedburner and then subscribing in Bloglines, which puts it in the public directory (unless you actually thought to make it private). Among the apparent victims: Andy Rutledge, who likes Bear Grams when he isn’t redesigning company homepages.
I’ve already found out Naveen Joshi’s username (and missed his password by an ellipsis), know that Joe is getting messages from his personal trainer, Joe Grossberg invited himself to Gmail (for multiple accounts, I presume), and that there are nine companies that will refinance. Does Bloglines need to protect these users from themselves, or is it your fault when you make a feed of your email public?
Martin Belam discovered this snafu, and has a lot more to say on it. He also found one guy’s termination letter (ouch!). Maybe someone should email all these people and let them know what happened?
(via Danny Sullivan)
UPDATE: Sorry, turns out the Andy Rutledge who revealed his email in Bloglines has nothing to do with the web designer. Makes sense, since the Andy I’ve linked to in the past is a pretty smart guy. My deepest apologies.
I don’t agree with you publicizing this before they were contacted.
Comment by Hashim | October 3, 2006
Hashim, I pondered that over several times, and eventually linked to it because:
It was on Search Engine Watch, which has much more reach than I do.
It was ridiculously easy to find. Just typing “gmail” in the search got you a few.
None of the emails I read had anything incriminating or embarressing (depending on your opinion of bear grams). If any of the people were writing about things they wouldn’t want the world to know about, I wouldn’t have linked.
Still, it was a tough call. What does everyone else think?
Comment by Nathan Weinberg | October 3, 2006
Well, maybe you could have just pointed it out without giving specific examples.
Comment by Pharod | October 3, 2006
Seems like Bloglines took itself down while they work this out.
Comment by DeWitt Clinton | October 3, 2006
Nah, they must have had some other maintenance reason, since it is back now, with no fix.
Comment by Nathan Weinberg | October 3, 2006
Seems like BlogLines removed them all.
Comment by Haochi | October 3, 2006
[…] Not too long ago there was an article about how people reveal too much about their lives in Google (or other web) calendars AND MAKE PUBLIC…. well I think this takes it a step further. Gmail let’s you access your mail through an RSS feed…. well there are online services that let you subscribe/watch feeds and apparently the feeds are put in the public access folder…. (oooops.) Be careful what you make public…. Spread the word.These icons link to social bookmarking sites where readers can share and discover new web pages. […]
Pingback by Watch what things you store in public places…. part 342-- Avery J. Parker - Web site hosting and computer service | October 3, 2006
Not to sound snarky, but isn’t this old news?
May 15, 2005:
http://www.problogger.net/archives/2005/05/15/warning-about-checking-g-mail-rss-on-bloglines/
I guess we need to remind people from time to time not to hand the world their personal info, though.
Comment by Mark Woodman | October 3, 2006
[…] While many of us blogging bloggers have been doing battle against splogs and content thieves, Inside Google reminds us that blog feeds aren’t the only feeds out there being used and abused: Okay, this should be a no-brainer, but just because Gmail offers RSS feeds doesn’t mean you should offer them to the public. A number of people have done just that, sending their Gmail off to Feedburner and then subscribing in Bloglines, which puts it in the public directory (unless you actually thought to make it private). […]
Pingback by Idiot Alert: Don’t Share Your GMail RSS Feeds « Lorelle on WordPress | October 5, 2006
Nathan,
I don’t appreciate your linking this to my site (Andy Rutledge.com), as I do not have a gmail account and am in no way associated with the individual you chose to cite in this post. I request that you remove that erroneous link and post your correction.
Thank you,
Andy
Comment by Andy Rutledge | October 5, 2006
Andy, I’m terribly sorry. I just saw the name and jumped the gun. I should have realized there would be more than one person with the same name. I think you do the most amazing work, so trust me, I meant no offense.
Not that there’s anything wrong with Bear Grams.
Comment by Nathan Weinberg | October 5, 2006
I am that Joe Grossberg. And, yeah, I know the email feeds are publicly accessible. If I cared, I wouldn’t have subscribed via Bloglines, never mind put the thing on Feedburner.
In any case, I don’t think this was the most ethical way of dealing with the “discovery”. If you noticed someone left the door to their house ajar, would you blog their street address?
If people want to use Bloglines to read Gmail accounts that they want to keep private, I would advise using the email subscription features that Bloglines offers. Those are easily kept private.
I may switch to that myself, for no other reason than the risk of mistaken assumptions about my email (I’m not refinancing anything; that’s spam) and the fact that I exposed my email address (which *was* unintentional and dumb).
Comment by Joe Grossberg | October 6, 2006