[Web4lib] Library Elf reveals user info

Edward Vielmetti edward.vielmetti at gmail.com
Wed Dec 28 14:02:20 EST 2005 

This is a problem with Bloglines, My Yahoo, and most
of the web-based RSS aggregators.  They tend not
to have a notion of a "private feed" and instead
focus on sharing as widely as possible.

RSS does have provisions for passworded feeds,
and indeed some products (e.g. enterprise wikis)
have this kind of support on the server side, and
native clients like Newsgator can handle the password
authentication.  It is straightforward to describe
and could be done without undue work by
library catalogs.

The Ann Arbor District Library puts periodic
notices in people's RSS feeds telling them if
they want to keep the feed fully private they
shouldn't use web based aggregators.

Ed

On 28 Dec 2005 17:59:15 -0000, cpikas.14607360 at bloglines.com
<cpikas.14607360 at bloglines.com> wrote:
> It appears that they're trying to fix it... if you do the search now (as of
> 12/28 12:55 EST)...
> "Invalid password. A change has been made to the RSS
> feed security which makes it necessary for you to resubscribe to your Library
> Elf feed. Please login to your Elf account and copy the updated XML link to
> your feedreader. Note also that if your feedreader is one of the public RSS
> aggregators, Bloglines in particular, your feed could be treated as a public
> feed and therefore searchable by others on that system. Search for your feed
> in these aggregators to see whether your feed has been designated public.
> Our apologies for the inconvenience."
>
> HOWEVER -- if you look back a little
> in the feed, you can still see historical check-outs and all related personal
> information.
>
> Christina
>
> --- RL Hartman <lisrochelle at gmail.com wrote:
>
> It appears to be an issue with RSS feeds (at least in Bloglines).  I
> > randomly
> emailed one of the patrons who had his account hanging out for all
> > the
> world to see, and he was grateful to know about the problem, and said he
> > felt "a little stupid" for not having known of the risk.
> >
> > Rochelle
> Hartman
> > Bloomington Public Library
> >
> > On 12/28/05, Karen Coyle <kcoyle at kcoyle.net>
> wrote:
> > >
> > > Mary Minow posts a rather amazing story about Library Elf
> on her web site:
> > >    http://blog.librarylaw.com/librarylaw/2005/12/breaking_discov.html
>
> > >
> > > According to Mary:
> > >   "I had my Bloglines.com reader open for
> blog reading.  I typed
> > > "library elf" in the SEARCH ALL BLOGS box
> > >
> <http://www.bloglines.com/search?t=1&r=0&q=%22library%20elf%22>.
> > > Imagine
> my surprise when I got 228 results, most of which are
> > > *individuals' accounts
> - one more click gives you first names, email
> > > addresses, titles borrowed,
> on hold, etc. "
> > >
> > > It isn't yet clear how this happens, but at least
> one person whose
> > > account Mary retrieved claims that she had her feed
> marked as "private."
>
> _______________________________________________
> Web4lib mailing list
> Web4lib at webjunction.org
> http://lists.webjunction.org/web4lib/
>


--
Edward Vielmetti in Ann Arbor, MI 48104
+1 734 276 5910

edward.vielmetti at gmail.com
http://www.vacuumgroup.com

More information about the Web4lib mailing list