STLToday’s Paywall is Weak
I’m originally from St. Louis, and in fact spent my last few years in St. Louis working with and taking on the media in one form or another. I’ve since moved on and no longer concern myself with the day to day craziness of St. Louis’ bizarre media scene…but I do like to check up on the sports.
STLToday is the website of St. Louis’ prominent newspaper, The St. Louis Post Dispatch, and it’s always been kind of a mess. Horrible designs, way too big pictures that take too long to load, crazy ads all over the place, etc…basically the standard crazy failing “old media” company stuff. Today they added: “Paywall” to that list. There’s countless articles about why paywalls don’t work and they are at best a way to delay death rather than anything close to a solution, but frankly I just wanted to read the excellent sports coverage supported by ads!
Luckily it only took about 5 minutes to bypass the paywall.
When you load a STLToday.com article blocked by the paywall you’ll notice that the content is shown for a few seconds and then it will redirect you to the pay screen. Interesting. At first I thought this might have been something along the lines of a enticement plan so you can see what you’re going to miss if you don’t pay up…but knowing the history of this particular website it made more sense that this was some drop-in paywall script that is loaded after the article and redirects once it reads your cookies and the content and determines you haven’t paid. I took a quick look at the page source and found a meta tag named “__sync_contentCategory” it was set to “premium” on the article I wanted to read, but set to “free” on the article explaining their new paywall. Luckily their site is still slow as hell with all the ads and stuff they are loading, so if I just manage to change that meta tag to “free” on every article I read before their redirect script (probably loading on DOM ready) fires, will that short circuit the whole system?
Yup.
Here’s the script (in the form of a user script that can be added to Chrome or Firefox): https://gist.github.com/mikeflynn/11379028
So what could STLToday do to make this a lot more secure?
- Well they could not use javascript for one and simply have the backend read the user's information and the content type, but I suspect that their CMS isn't setup to do this and it's probably something they licensed so they can't make any changes to it, which explains the drop-in solution.
- They could also make their site faster (a good idea anyway) but one could still figure out a way to inject my script before their's runs.
- They could not rely on a meta tag for content tagging and instead ping back to the server to request the content type (premium vs free). This could still be bypassed by spoofing the server's response to your browser, but it would be a lot harder to write a script like the one I did earlier. This is probably a good enough solution, but if they still can't figure out how to write a server-side response on their CMS it can't happen.
- They could just not care. I very much doubt that they will see a lot of "digital subscriptions" and those that would be interested probably aren't the type to know what a User Script is or follow me on Twitter.
Related Posts
Thoughts on Apple Bloggers and Vision Pro Coverage
I posted this on Mastodon, but I figured I would cross-post it here as well. I wonder if we’re headed for a weird place with the #Apple Blogosphere (AKA the Apple Blog Mafia). All of the main players are talking about Vision Pro all the time and saying things like “I lose track of time in here!
Read moreThe Simple Pleasures of a Mobile Office Whiteboard
I’ve built a lot of stuff for my home office over the last few years of working from home, but my current favorite is something so simple: A custom rolling whiteboard A couple of weeks ago I gave myself a Saturday challenge to take my existing old whiteboard and build a rolling stand for it only with materials I had in my workshop.
Read moreI Made Myself a JARVIS Over the Weekend
With some spare parts, a USB speakerphone, and my Home Assistant server, I was able to make a competent JARVIS for my home office over the weekend…and the exciting part is that it’s only going to keep getting better! Last year was the “Year of Voice” for Home Assistant, the open source home automation platform, and the team accomplished a ton of work that enables Home Assistant users to make their own voice assistants.
Read more