Hacks, hacks, hacks...

Written by Adrian Holovaty on June 23, 2003

Three cases of poorly executed closed-content walls:

  • Beebo.Org has revealed a free and easy way to access online New York Times articles that are more than a week old (and are supposed to be obtainable only via the paid archives).
  • The Wall Street Journal has a similar security hole that allows free access to Journal stories, which are supposed to be behind a paid-registration wall. As in the Times hack, one may access Journal stories by making a quick and easy change to a story's URL. I saw this reported on a weblog late last year, but the article has been removed.
  • Salon.com's "premium" content wall is defeatable with modifications to the cookies on your computer, as explained in the latest issue of 2600.

If news organizations are serious about making users pay for content, they'd do well to plug the security holes. Otherwise, I encourage them to just let the Web be the free, global library it should be.

Comments

Posted by Rafat on June 23, 2003, at 12:17 p.m.:

-- NYT thing has been around for a while...some work, some don't. In any case, these stories are now free forever if you use Userland-NYT feeds.

-- the WSJ hack is on purpose, for these stories to be linked from other sites. started with them sending stories to Romenesko to link media stories and works for all sites (also work though e-mail story function)

-- why would you want to go through the effort of tampering with the cookies. their stories are still free, if you are willing to sit through 15 second ad at the beginning of the day, though the Premium Day Pass

-- and adrian, don't publicize too much...these sites are well aware of the hacks, and like it unpublicized....if you talk about it too much, they will strangle off these back doors!

Posted by Ben on June 23, 2003, at 4:28 p.m.:

ESPN.com is the same deal. Paste any "insider" story's ID to a "regular" story's URL, and you're in. I'm sure all these places know about these, and even know exactly how many times its done. But I'm also sure they're willing to let it slide if it's not used that often (sort of like how stores always have a margin for shoplifting or cashier errors).

Posted by David Wertheimer on June 24, 2003, at 5:36 a.m.:

The opinion of content publishers (including my former employer) was that folks with the time, effort and wherewithal to circumvent the pay barrier may as well go ahead and do so. The same folks are going to the library to read the NYT and the Journal for free, so what's the loss? Rather, the pay model exists as an enhancement: pay up, and we will make it easy for you to access what you're looking for.

Just as in retail sales, slippage is expected. All a foolproof system will do is disappoint the grassroots folks who increase page views while finding workarounds for sport.

Posted by Devon on June 24, 2003, at 6:43 a.m.:

I've been doing some backend Perl work for a decent sized & well used website, and I would never even consider giving them code that would allow a visitor to hack into protected content. I don't care if it means my job, 'cause I wouldn't be doing my job anyway if I allowed that.

Posted by Dan Martin on June 24, 2003, at 11:20 p.m.:

The problem is anytime you offer content on a sign-up basis there will always be loopholes to get through it. There is no such thing as a complete lockdown on content. Most of the companies know this. As a web developer, why give yourself a headache trying to tighten security when 99% of the public will not go through the hassle of bypassing the minimum security in place.

You can go to any news box on any street corner put your change in, and you can grab every single paper in the box and give them to all your friends. It isn't the honest thing to do, but it can happen... and they realize it.

I don't think there should be such an emphasis placed on online closed content security, when security isn't an issue for the print version.

Posted by kpaul on June 25, 2003, at 5:03 a.m.:

Rafat - that was my first thought too. Ack, now they won't work. Will be interesting to see if word gets out and if they *do* actually do anything about it...

Some of the other comments remind me of this scene in Office Space, one of my all time favorite movies - the main character is in the car explaining an embezzlement scam that takes fractions of a penny off of every transaction (yes, ala superman w/richard pryor ;) Anyway, he said it wasn't actually stealing because it was just stealing a 'little bit...'

I have to admit I have circumvented sites before to get at content, though.

Posted by Idiot... on November 4, 2005, at 9:22 p.m.:

yeah so this is kinda dumb and unrelated...but how exactly do u bypass espn insider restrictions and view w/o an account? Im a poor college student and i just want to read an article about fantasy basketball

Posted by Gotcha on November 16, 2005, at 5:54 p.m.:

I was also wondering how to bypass the ESPN Insider login to access the stories. Web content should be free. It is the internet after all.

Posted by RavenOfProphecy on January 2, 2006, at 10:38 p.m.:

I was wondering how to bypass the ESPN Insider screen as well. Could you give us an example?

Posted by anonymous on January 11, 2006, at 5:10 a.m.:

Could you give instructions on how to access ESPN Insider without signing up for it?

Posted by anonymous on February 1, 2006, at 5:57 p.m.:

I could not get your method to work... Try to hack this page as an example:

http://insider.espn.go.com/mlb/features/rumors?CMP=ILC-INHEAD&action=login&appRedirect=http%3a%2f%2finsider.espn.go.com%2fmlb%2ffeatures%2frumors%3fCMP%3dILC-INHEAD

Posted by mike on February 14, 2006, at 1:56 a.m.:

I want o be able to use the espn insider realtime desktop scoreboard without paying anything. Could you help me out here.

Posted by eric on July 21, 2006, at 4:49 a.m.:

ya

Posted by Jon on August 22, 2006, at 7:07 a.m.:

Hey Ben could you explain exactly what to do to bypass the insider crap on ESPN? I can't seem to get your method to work. =(

Comments have been turned off for this page.