@rohit-dua discovered that a user’s private Atom feed access token could be leaked to third parties via the Referer header when visiting outbound links. This issue only affected a small subset of users because most feed readers will send their own domain as the referrer or no referrer at all. However, in some scenarios, such as visiting the feed directly in a web browser that auto-renders Atom feeds, the referrer would leak the private access token. We addressed the vulnerability by adding a ‘noreferrer’ link relation to outbound links.