Private feeds shown as public (data breach)
-
I’m facing a troubling issue with Pocket Casts on Android and wanted to see if anyone else is experiencing this or has any insights. Here’s the situation:
- I’ve added several RSS feeds in my app (both Android and iOS) that I absolutely intended to keep private. I never submitted them for public listing nor have I added them on pocketcast.com/submit. Yet, they’re discoverable by anyone searching in the app, resulting in a data breach (personal data is part of the URL that is also shown).
- I contacted support a week ago about this – zero response so far. To make things worse, I tested the submission feature pocketcast.com/submit yesterday (through the web), opting for ‘private’, and the same thing happened – the feed is publicly searchable/findable. This feels like a serious breach of the whole point of having “private” feeds.
- I don’t want my RSS feeds to be findable by someone else I haven’t provided with the URL. Has anyone else noticed this? Is there a fix I’m missing?
The lack of email support acknowledgement is really concerning and I strongly believe that this data breach/leak deserves more urgent attention from Pocket Casts. A message that Pocket Casts is investigating both issues with the highest priority would be greatly appreciated!
I would also suggest that on the podcast page (when you visit https://pca.st/…), the source of the RSS is not displayed while you hover over the RSS / Apple Podcast buttons (as that URL might contain personal stuff).
-
Came here to post an almost exact thread.
I added a private feed yesterday as well, and to my surprise other people can find this feed when searching!
As you can imagine this is both a serieus issue, not only for the person submitting these feeds, but also for the content creators! If people can find private feeds without paying, these content creators can loose a valuable source of income.
-
@skube34, I’ve responded to your email.
@jaspervandermeij, to be sure, can you let us know where you submitted your private feed? Was this on one of the apps? Or was it directly through our submission form? I’ll also reach out to you through email so we can correct your podcast’s privacy setting.
I’ve also asked the team to look into potential issues with podcast submission. Thanks for bringing this to our attention!
-
@staff-cara Thanks for your reply. I added the private feed using https://pocketcasts.com/submit/ add choose ‘private’ as option. After that, I didn’t add it to my feed. After a few hours I searched for the title, and could find it public in the search. I asked a friend to search as well, and he found it too.
-
And as an addition; another private feed was not added via /submit, but added via the search form top-right at https://play.pocketcasts.com/podcasts. It was added to my personal feed, ánd after a few hours it was also searchable on the title (also public, for other users).
-
@jaspervandermeij Thanks for confirming. We’ve been looking into this, and there are at least four private feeds for the particular podcast you emailed about. Three of them are correctly hidden from public search, so we’re checking why yours isn’t.
Do you know if the
<itunes:block>Yes<itunes:block>tag was only recently added to your feed? If the tag was added after the feed was submitted to our system, the change doesn’t get immediately picked up by our system. There will be some delay before the podcast is eventually removed from search.I believe I’ve also found your original email (it was sent from a different email address), and I’ll respond there too.
-
Same problem here, I’ve added two private podcasts a couple of days ago using the pocketcast.com/submit form and now they are indexed!
Already sent an email to support but no response and the podcasts are still present in the public library.
This situation is concerning as it exposes my private data by publishing the URL of my private server and paid content under copyright. What a shame!
It’s been over a week since this issue was reported, how is it possible that this hasn’t been resolved yet?
-
@staff-mobilefox I haven’t received your email to my forum email yet.
Previously I’ve wrote with another email address to (email visible only to moderators and staff) with subject “Private feed indexed”.
Please contact me at one of the two email addresses, thank you.
-
Hi @hexgrim! I am not sure which one of the emails about private feed being indexed came from you. To make sure we replied to the right person, we’ll need your email address.
Since we do not want you sharing your email address here in public, please start a new topic in the forum. We are able to find the email address of the creator of a forum topic, that way we can send you an email to that email address.
-
I’ve already asked you to contact me to this email address if you can’t find my email. Alternatively, you can reply to all the private feed issue emails you receive…
Btw I’ve solved it by myself adding the <itunes:block> tag to my feeds.
Anyway you are still exposing private feeds, I can find the same paid podcasts by others users feeds.
I was thinking of purchasing the plus plan, but after this experience, I don’t think I will.
Pocket Casts Forum 