How to Hack into the Paywall-Protected New Yorker Archives

20newyorker121707big How to Hack into the Paywall Protected New Yorker ArchivesThe New Yorker‘s online presence is, for the most part, accesible to all users. Content gets posted weekly, on Sunday nights at midnight, and most of the articles are ready for your perusal. Occasionally, however, a piece will be put behind a paywall in an attempt to entice the hardcore reader to bite the bullet and subscribe. Without an account, David Remnick’s take on the new Keith Reichards memoir Life that appears in the magazine this week can be found on newyorker.com as nothing more than a fragmented summary. And of course the entire index of New Yorker issues—every word printed in the magazine’s 85 years—is only accesible to those who pony up the annual fee.

Yet there may be a more cost-effective way to pore over the new-but-blocked must reads and catch up with classic Dorothy Parker. Online magazine Flood published an article last week that revealed a hint that allows freeloaders access to the entire archive of locked articles. Apparently, the default password once a user sets up an account is simply the email address that serves as the username, and Flood took a wild guess that many people are too lazy to create a custom password. All the average literary-minded hacker needs is the email address of someone with an account (Flood recommends trial-and-error with college professors) and everything is set. Not an effortless process–e.g. a simple Google search will get you behind the WSJ.com paywall–but intriguing nonetheless. 

Today, the magazine published part two of the New Yorker hacking expose, and delved a bit deeper into the wonky details of how to hack into the cherished magazine’s site. By dipping into the publicly accesible code they were able to extract an email address from the comments. They emailed the woman—a professor at Lehman College in New York, naturally—and explained to her that the shoddy nature of the site design made it possible for such an easy steal. 

“The file had a trove of comments detailing the authentication process, the server response for a valid user, and many other things that should have been removed from a public-facing JavaScript file,” Kevin Shalvey, the article’s author, wrote in the piece. “It was as if an absentminded surgeon had left his scalpel, forceps and gauze inside a patient.”

The code was written by the Australian company Realview, not The New Yorker, and Flood has sent out requests for comment from both organizations. An update to last week’s story indicated that the bug that allowed for an email address to be revealed has been fixed, but predicted that the bigger loophole that allowed for unauthorized perusal of paywall-blocked articles may take two weeks to fix. Through a de-obfuscation of the encryption and decryption code on the archive site, the entire library of New Yorker stories can be accessed. 

The Observer has yet to crack the code, but if the hackers at Flood Magazine are correct, the overlap of Rolling Stones fans and New Yorker readers won’t have to run to a newsstand to see what Remnick says about Richards. Strike another blow to the dead tree media.

nfreeman [at] observer.com | @nfreeman1234