[akregator] [Bug 391865] New: Akregator allows feeds to gather data on article reading habits

Jaak Ristioja bugzilla_noreply at kde.org
Wed Mar 14 20:50:34 GMT 2018


            Bug ID: 391865
           Summary: Akregator allows feeds to gather data on article
                    reading habits
           Product: akregator
           Version: 5.5.3
          Platform: Ubuntu Packages
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: kdepim-bugs at kde.org
          Reporter: jaak at ristioja.ee
  Target Milestone: ---

Created attachment 111403
  --> https://bugs.kde.org/attachment.cgi?id=111403&action=edit
Screenshot of (an unbranded version of) Mozilla Thunderbird handling a similar

I'm filing a new bug as instructed in
https://bugs.kde.org/show_bug.cgi?id=229989#c2 and
https://bugs.kde.org/show_bug.cgi?id=229989#c3 since this still occurs in
recent versions of Akregator.

When opening an article, Akregator automatically downloads all requisites found
in the <description> (e.g. if images etc are specified in HTML; perhaps even
flash or AJAX?). Generally this generates extra HTTP(S) requests to remote
server(s), leaking information about the users activities, i.e. which articles
they browse, and possibly info about how long they read an article before
switching to another article, etc.

The man in the middle, even when the user is using HTTPS, has quite good
chances to figure out the exact articles being read (given he can determine the
endpoint of the HTTPS connection), which are probabilistically among those new
articles which the user has not previously read.

Hopefully it will be configurable per-feed, whether such requisites are
downloaded or not, and with an action somewhere to force download of requisites
of the article currently open.

Please fix these privacy leaks!

Mozilla Thunderbird, for example, handles such e-mails with remote content much
better, by prompting the user about whether to download remote content or not
(see attached screenshot). This is also what Akregator could do on a per-feed
basis. An "always show remote content" checkbox could also be added to the feed
properties dialog.

You are receiving this mail because:
You are the assignee for the bug.

More information about the Kdepim-bugs mailing list