Defeating Salon.com's Premium Content ------------------------------------- by annie niemoose www.salon.com is offering a feature where instead of paying a fee to view their "premium" content, you can click through four pages of ads and get one day's pass to the premium service. This is done with a cookie and, sadly, the values used for the cookie were poorly thought out, leading to a compromise of the scheme. But more about this later. First let's look at the cookies. You will first need to get the cookies into your file, and the easiest way to do this is to simply comply with the scheme in the first place. They come from www.salon.com, salon.com and content.ultramercial.com (or whatever advertiser they're using at the time). If you're inclined to do so, you can get rid of all the www.salon.com cookies (this includes the one that identifies your computer's hostname or IP). I recommend blocking cookies from there entirely because they all look pretty rude and antisocial. The salon.com cookie SALON_PREMIUM you need to keep, but it doesn't contain personally identifiable information. It will also set an RMID cookie whenever you visit a page. Keep it for now, but you can delete that later. content.ultramercial.com has a cookie in this scheme called VISITOR. The contents of this one look encrypted... er... at least it's got high enough entropy that I'm not willing to dwell on it, especially since you don't need it after you get salon.com's SALON_PREMIUM cookie. So you can delete VISITOR as well. So the only cookie you need to keep seems to be SALON_PREMIUM. Here's the cookie: SALN_REG%3DY%2CSALN_USERNAME%3DULTRAMERCIAL%2CSALN_SHOW_ADS%3DY As you can see, there's no information in there about a date. Further, you'll notice that the username is ULTRAMERCIAL, the advertising site that provides the many clickthrough ads. So it looks like they're just using the old cookie from Salon Premium and giving everybody the same username. Bad Move. Also, this is supposed to be a one day pass. How are they enforcing that? The cookie expiry date of course. Bad Move Number Two. You'll also notice the SALN_SHOW_ADS value is set to "Y". My guess is that editing this to say "N" will spare you any advertising. So to get an unlimited pass to Salon Premium, all you need to do is change the expiry date of the cookie. Quit your browser. Open your cookies file in your favorite text editor and hope it isn't a binary. Luckily, mine was xml. Find the SALON_PREMIUM cookie and change the date. The date may be in some loony proprietary format or hashed. This is trivial to get around. Just find the RMID cookie for salon.com (expires in 2010), copy its expiration, and paste it into SALON_PREMIUM's expiry. Save. You now have free, unfettered access to Salon Premium until 2010. Now I like Salon. Their news coverage is often one of the only dissenting voices in the news media that doesn't come across as paranoid ranting. So here's how I think they could fix this hole and get what they are aiming to get out of the one day pass. They can keep the same cookie format for SALON_PREMIUM with a username ONEDAYPASS. The ONEDAYPASS user would require an additional cookie. When you successfully complete the clickthrough, a string is generated which is comprised of first a random salt value, second a timestamp. The combined string is then encrypted with a secret key which is kept on the server. The fields are in this order because of sensitive dependence on initial conditions. A user ID is appended onto the end of the cyphertext. This final value is the additional cookie's value. The user ID is used as a database key to store the timestamp and the salt. When you visit a Salon Premium page, it gets your cookies. It uses the user ID to look up the salt and timestamp. If the timestamp is still good, it builds a string with the salt first and the timestamp second. Then it encrypts the string with the secret key and compares the cyphertext with the value of the additional cookie sans user ID. It serves the page if they match. If the timestamp is no longer good, it deletes user ID and values from the database and serves up the ad. Sure, you could just use the user ID itself in the cookie and keep all that data on the server, but then people could just guess or use sequence prediction on the user ID. You could add the timestamp to the cookie as plaintext and rely on the comparison, but that has the same problem. The above has four server generated values which have to match for success, are tamper resistant and tamper evident. The one day pass feature is an innovative and novel approach for allowing access to subscriber content. However, the current implementation hasn't had much forethought. The authentication credentials are the same for everybody, stored on the client side in a way which is vulnerable to tampering and relies on an easily circumvented expiration mechanism. Creating unique user credentials, embedding expiration date information in the cookie itself, and encrypting it to safeguard the information from user tampering are ways in which they can implement the system. Users have the ability and are prone to fiddle with anything you put on their computer. Any security mechanism you use on the web should be designed to hold up under such tampering.