Firefox betrays RSS subscriptions

Firefox transmits the address of all RSS and Atom feed subscriptions to Google and Yahoo under some circumstances – even if the user does not intend to use the Google service for displaying feeds. The leak and its technical background was revealed by Jared Breland in his blog.

The new version 2 of Firefox provides users with the choice of which program or online service is to be used for viewing feeds. Users can either permanently select a reader or select from the available services each time a feed URL is clicked on. This includes applications installed on the PC or online readers from Google, Yahoo and Bloglines.

As part of its preview, Firefox displays the name of the service as well as a small graphic, known as a favicon. Breland observed that Firefox did not draw the Google icon from the program directory or the browser cache, but rather fetched it fresh from the Google server via http for each new subscription. heise online was able to replicate this behaviour for the Yahoo favicon as well. Both servers also attempt to set a cookie.

Even if Firefox users do not use the Google service (or, by extension, the Yahoo service, since the same issues apply), Google nevertheless finds out about the URL of the visited site, as well as the user's IP address and browser data. The cookie, if set, allows Google to identify the surfer during later visits. Breland notes in his blog posting – correctly, we feel – that there is no technical reason for the graphic to be loaded from the server for each subscription.

heise online has informed the Mozilla Foundation about the problem. In an initial analysis, Tristan Nitot, head of Mozilla Europe, could not provide an explanation for the behaviour. He indicated that he would clarify the situation with the Firefox developers. In late 2004, the Mozilla Foundation reacted to a similar privacy issue by removing the flaw.

(ehe)