More and more news sites are requiring memberships. More and more programmers are focusing on "front-end" coding. These two trends together make many protected content not at all secure.
We'll examine the steps to access full-length articles on Medscape (www.medscape.com), a poorly constructed medical news site that's owned and operated by WebMD. The "News & Perspective" section is of particular interest.
First let's look at the site's "protection". Click on any news article on the home page - you'll be redirected to a login screen. Each link has the following format:
https://www.medscape.com/viewarticle/908084
Medscape came to our attention when one of its articles was indexed in Google News. The link on Google News resulted in the exact URL but somehow there is no login screen. This gives away the first step:
Step 1 - Link from Google News
Open https://news.google.com/. Using the Developer Console in your browser, modify part of the page to include the following link:
<a href="https://www.medscape.com/viewarticle/908090" target=_blank">AAA</a>
The injected link will look like the following:
Click on the link and you'll see the teaser, or the first two paragraphs, of the article:
Step 2 - Disable JavaScript
In Firefox, go to about:config and search for "javascript". Double click on the line to disable JavaScript:
In Chrome, click on Settings in the top right corner, and search for "javascript". Disable JavaScript for all the sites for the duration of this step:
Step 3 - Reload the MedScape article page
Bingo! We can now see the entire article without ever signing in!
How does this work?
The MedScape website has made 3 critical mistakes. It uses referrer to allow teaser content. On top of the first mistake, it also uses JavaScript to perform the link resolution. The last mistake is using JavaScript to dynamically remove protected paragraphs. JavaScript must be turned on for Step 1 to work.
The full article is transmitted but not displayed. Our initial thought was, it would be unwise to use this approach, but what if it's true? So we quickly verified our suspicion but searching phrases in the last teaser paragraph in the HTML source and read on.
Why does this matter?
We don't mean to pick on MedScape or WebMD for that matter. Although the website's content protection is baffling, such practice is quite common. There are three factors that plague this website as well as many others:
Politics - there is an interesting phenomenon that the organization of a physical machine often reflects the human structure of its manufacturer. This is true with software. When a CMS uses client-side code to add or remove content on the fly, it shows that certain features were added as an after-thought. Probably the signing flow is considered a visual feature and implemented by a front-end developer. The very notion of front- and back-end developer creates an unnatural divide. In comparison, we at Antradar train developers to understand the full transaction flow. There can be front- and back-end focus but the developers are not disconnected.
Tooling - more and more frameworks are JavaScript based. Even if a site is built with traditional back-end scripting technologies, the framework is abstracted away so that the developers do not think in the classical 3-tier fashion. If there is sensitive content, do not send it in the first place, and hence filtering on the server side. The standard Antradar practice uses architectures such as LCHH that allow the client and server communicate fluidly.
Talent Pool - there are many server-side, or "back-end" developers around. But they aren't the first point of contact. The "managing firms", often creative agencies, are fiercely competing on the looks department. This puts graphic designers, and designer-derived "front-end" developers on the front line.
A word on fair charge
How much does a MedScape membership cost? We don't know. It could even be free but that's beyond the point. There is an intrinsic expense a user has to pay when they go through the hassle of signing up.
Imagine filling out a lengthy survey form and giving away much of your personal contact, and having to deal with incessant sales calls for months to come, just to find out that "free article" download is a static link. How is this fair to registered users?