DISCLAIMER: All data and information provided in this article are for informational purposes only. The main goal is to increase security awareness, teach about information security, countermeasures and give readers information on how to implement a safe and functional system (in our case, a website). If you plan to use the information for illegal purposes, please leave this website now. I cannot be held responsible for any misuse of the given information. I do not use this method to avoid paying and neither should you.
The word “hacking” usually has a strong meaning and most people would think of gaining root access to the website I am referring to in the title or insight into its database. In this case, however, I want to demonstrate how you can exploit a specific error in its design and gain access to a feature that was initially blocked.
Starting from the beginning, I enjoy reading scientific articles on the www.technologyreview.com website. There is however a certain aspect that bothered me. You can only read three free articles per month, for more (along with other perks) you need to subscribe to a paid for “all-access digital program”.
Every time I read a story, a banner would appear telling me that I have read 1/3, 2/3 or 3/3 of the stories I was entitled to for that month and when I tried to open a new article, after I’d read 3 stories in a month, it prompted me to subscribe in order to have access to it. So I started thinking of how this functionality worked and how it could be bypassed. One could circumvent that perhaps by making a lot of accounts (or constantly changing IP addresses) and reading three articles from each one, but I don’t consider that to be a reasonable solution.
I started wondering how the stories I was reading were being counted. My original hypothesis was that every time I clicked on a URL (I was signed in to my account), a request was made to the server, the number of articles I had read in a month was checked for being less than 3, the article ID was kept (so I could revisit that article) and then I would get the corresponding response from the server (the article itself or a message that I needed to subscribe for more).