Liferea before 1.4.6 uses weak permissions (0644) for the feedlist.opml backup file, which allows local users to obtain credentials.