Hack → How to get around a subscription engine for RocketMiner.com so you can read articles for free.
DISCLAIMER : This is for educational purposes only. It serves as a good example of why it’s so important to have high-quality developers working for you, and WHY you pay so much for high-quality developers to do their jobs efficiently. This also shows what happens when high-quality devs really want to read an article they found online but are too cheap to buy something because all their money goes to Mt. Dew, Red Bull, and tacos.
Introduction
I was poking around on Reddit.com gathering some RSS feeds for news sources that I enjoy for my pet project Eklect Haus, a cloud based home automation and control hub to connect all my IoTs (Internet of Things) together and have them do cool stuff.
I came across an article (which granted was an opinion piece, but it was written like shit) about a White House aid that resigned. He happens to be LDS, and some of the “truths” about the church that they wrote in the article were twisted to a point it annoyed me and I don’t think people should pay for that type of shitty stuff or reporting; especially when they can’t see the type of quality that they are getting before they buy a subscription (think New York Times, LA Times or Washington Post, that let you get a taste before committing to a subscription). So I decided to make my research public on this matter until they either fix their vulnerability or improve their quality of reporting.
This exploit took less time for me to do than it did to write about HOW to actually do it. The irony…
The Vulnerability
Inside RocketMiner’s JavaScript, they have unminified code that states the following:
Now the problem with this is how they are setting the cookie. They give me the cookie name and the value it needs if my IP is found in their white list.
$.cookie('tncms-service-validated', 1, { path:'/' });So all I have to do is simply set the cookie myself to the value of 1 and reload the page and I’m in.
The second issue with this code is the way it unscrambles the article.
$('.subscriber-only.encrypted-content').each(function(){
$(this).html(tncms.unscramble($(this).text()));
$(this).show();
});Apparently, they scramble the article so you can’t simply go into DevTools on Chrome and unhide the divs. So kudos to them for at least thinking of that one. However, if I go to my console window in my DevTools, I can simply run this part of the code and it unscrambles the code and shows me the article.
The Exploits
Method #1: Edit the rocketminer.com cookie
- Install EditThisCookie as a Chrome Extention on Google Chrome
- Go to the RocketMiner.com article you want to read.
- If its blocked by a subscription, it will look like this
4. Go to your EditThisCookie Browser Popup. It will look something like this
5. Click on the + sign to create a new cookie
6. You will come to a screen like this
7. Enter the information as follows:
Name = tncms-service-validatedValue = 1
8. Click the Green Check mark
9. Reload the page
10. You should now see the article, which has now be unscrambled.
You will see all the articles for free now as long as that cookie hasn’t expired. If it doesn’t, simply repeat the steps above.
Method #2 . Use RocketMiner’s code to simply unscramble the article
- Go To your DevTools in Google Chrome
- Go to your Console
- Copy and paste the code:
$('.subscriber-only.encrypted-content').each(function(){
$(this).html(tncms.unscramble($(this).text()));
$(this).show();
});4. Run the code and you will see the article. This method isn’t as good as Method #1 because you will have to run this every time you load the page, which makes Method #1 the more viable solution.
The Fix
Now I’m not going to be a complete dick and not say how to fix this for RocketMiner
The first thing they will need to do is minify their code. If the code was minified, it would a bit more difficult to read the code and find the exploit. Yes a hacker could simply unminify the code, but that requires more work, and the best hackers are the lazy hackers, meaning they don’t want to do the extra work if they don’t have to, so they are going to look for the easiest point of entry. If it takes too long, the bot they wrote, or the hacker themselves will become bored and move on.
The second, they should require that unscramble code to only be loaded AFTER the user logs in. That way there is no way of unscrambling that code with JavaScript on the front-end. After the user logs in, they can then load the unscramble code, which at that point who cares if a logged in person is unscrambling stuff they already paid for right?
The worst part of technology is the people. Always will be.
