Thieving Feedly: Pulling off a Twitter Card heist

Gravitational collapse is the inward fall of a body due to the influence of its own gravity. [Ref]

The BBC recently ran another week of Stargazing Live where Professor Brian Cox and Dara O Briain try to educate us about the stars, the galaxies, the universes and everything else. I wasn’t intending to watch it but found myself hypnotically drawn in as the hosts and guests dangled some of the known and unknowns before us.
Perhaps whimsically I started think about the parallels between the universe and the internet. The ever expanding mass of stuff, 95% of which is made of ‘dark matter’ (the unknown entity that makes the equations balance). I’ve even done some of my own stargazing exploring the ds106 galaxy. The image below from this shows how the nebula of the interconnected blog posts, comments and tweets which form part of this open course.

ds106 Galaxy

Recently I’ve been seeing a number of cracks in the internet as external forces pull and push it into a shape it shouldn’t be. There are headline events like NSA hacking, ISP filtering/blocking, neutrality. In some ways equally, if not more dangerous, are the multitude or minor events, the things that don’t get headlined, the changes that go almost unnoticed. For example spot the difference:

Twitter Summary Card Feedly Twitter App Card

The image on the left was shared from Doug’s original post. The image on the right was shared from the Feedly RSS Reader App for Android. So the text and displayed link is slightly different. Doug knows his internet beans so on his blog he has implemented ‘Twitter Cards’ which let you add extra metadata to your page which Twitter can read to enhance the tweet with author, description, image and link. In the Feedly app the link is automatically wrapped in their own shortened url (you’ll see later that they are just using a bitly pro account).
One one hand I can see why they would do this. By directing you through their url they can get click data. Where this starts falling down is as a user I can’t see where they are using this data to enhance their product. In the ‘good old Google Reader’ days, Google had a nice feature to sort stories ‘by magic’, essentially using usage data to work out what you are most likely to read. Feedly don’t appear to have got their yet… What is even more annoying is Feedly have hijacked Doug’s carefully crafted Twitter Card so that instead of allowing users to ‘View on web’ it now has ‘Open in Feedly Reader | Blogs,News,RSS app’, which directs you to either Apple or Android store to get their app. The app is free, but this isn’t the issue. Feedly have stolen my intent to share a story to my network to stuff an ad. That sucks!
Needless to say Feedly has been uninstalled. I was left pondering were how did they do it?

Pulling of a Twitter Card heist

In the Feedly tweet the url is displayed as In actual fact Twitter will send you via their servers if you click the link as you can see from the source from href=””:

Twitter source

So lets follow the round trip. There are a number of ways tools to do this, I’ll show you how I do this with Chrome.

  1. Open a fresh tab
  2. Press Ctrl+Shift+I to get the developer tools
  3. Switch to the ‘Network’ tab and click the black circle (this has moved in a recent update to the top of the window) so it turns red
    Developer Tools : record
  4. Next in the address bar of the tab you opened paste and hit return.

Once the page is loaded back in the developer tools you should have a table like this (you’ll have to scroll back to the top to see this):

Page route

This shows the route the browser went to get to and display resources in the page. So we can see we started with the Twitter link headed to (waiting almost 10 seconds for a response … tisk, tisk Feedly), popped by bitly before returning to feedly and then finally getting to the page we wanted.
For most of these we didn’t really stick around. The status column records how the server handled the request and for most it was a redirect (logged by the server but essentially it said ‘move along, nothing to see here’). The last hop was to, which was slightly different. At this point there was a html page with 6.9KB of data. Whereas the other pages were redirected by the server the status 200 indicates that the redirect was done in the page. So what does that page look like? If we try and open the link it will just redirect us to Doug’s post. There are various ways to capture this page, the easiest for me was to write a couple of lines of Google Apps Script to save the page to my Google Drive. And here is the result:
So what have Feedly done? They’ve faithfully recreated some of the metadata Doug already had in his post like title, but have thrown in some of their own. For a start they’ve put in some Facebook Open Graph Metatags and then we can see they’ve switched Doug’s original Twitter Summary Card for a Twitter App Card. And then there is a whole bunch of JavaScript I’m struggling to make sense of but part of it is Google Analytics tracking code where they might be getting a bunch of demographic data.
I’m sure other services are pulling this trick and I’m not naive that there hasn’t been a long history of tracking. My concern is that these practices are becoming increasingly intrusive and that we accept services without understanding the mechanics of the web, forgetting that we all can be web makers not just users. So it goes without saying ‘long live the web literacy map’, ‘long live your own domain’, ‘long live the open web’!


Join the conversation

comment 4 comments

Comments are closed.