I have discovered a feature (or perhaps vulnerability?) of FriendFeed that, intended or not, could enable marketers to track every single view of their RSS posts to FriendFeed. The feature revolves around the ability to embed images, via a subset of RSS called MediaRSS, into your RSS feed. If your RSS is MediaRSS formatted, FriendFeed automatically reads the images in the feed and displays the first one as the main image in the post to your feed on FriendFeed.com. Here’s the problem though (or maybe it’s a feature?) – FriendFeed stores the original URL to the image as the main image URL. They don’t re-format it at all or store it on their servers. This means you can dynamically produce anything you want on FriendFeed.com, set cookies, store IP information, etc. without the user ever knowing about it.
I discovered this hole due to an annoyance I had with my TweetMeme button always showing up as the image in my posts to FriendFeed. I noticed that the number of retweets was dynamically updating, right on FriendFeed. Sure enough, looking at the source of the image, the image was being generated from TweetMeme’s servers, not FriendFeed’s.
Such Web Bugs are common throughout the web, especially in advertising and other marketing-based mediums, so the threat isn’t huge. However, this may be something the FriendFeed team may want to look at if they don’t want marketers to be getting information about their users off the FriendFeed.com site itself. If anything, I’d like to see them just ignore 3rd-party image URLs altogether and maybe my pesky TweetMeme icon will stop showing up as the image on my posts to FriendFeed. Is this a feature or a “bug”?
Googling, here’s some more information I found about “Web Bugs”: http://www.leave-me-alone.com/webbugs_growing.asp
