STLToday's Paywall is Weak


I’m originally from St. Louis, and in fact spent my last few years in St. Louis working with and taking on the media in one form or another. I’ve since moved on and no longer concern myself with the day to day craziness of St. Louis’ bizarre media scene…but I do like to check up on the sports.

STLToday is the website of St. Louis’ prominent newspaper, The St. Louis Post Dispatch and it’s always been kind of a mess. Horrible designs, way too big pictures that take too long to load, crazy ads all over the place, etc…basically the standard crazy failing “old media” company stuff. Today they added: “Paywall” to that list. There’s countless articles about why paywalls don’t work and they are at best a way to delay death rather than anything close to a solution, but frankly I just wanted to read the excellent sports coverage supported by ads! Luckily it only took about 5 minutes to bypass the paywall.

When you load a article blocked by the paywall you’ll notice that the content is shown for a few seconds and then it will redirect you to the pay screen. Interesting. At first I thought this might have been something along the lines of a enticement plan so you can see what you’re going to miss if you don’t pay up…but knowing the history of this particular website it made more sense that this was some drop-in paywall script that is loaded after the article and redirects once it reads your cookies and the content and determines you haven’t paid. I took a quick look at the page source and found a meta tag named ”__sync_contentCategory” it was set to “premium” on the article I wanted to read, but set to “free” on the article explaining their new paywall. Luckily their site is still slow as hell with all the ads and stuff they are loading, so if I just manage to change that meta tag to “free” on every article I read before their redirect script (probably loading on DOM ready) fires, will that short circuit the whole system?


Here’s the script (in the form of a user script that can be added to Chrome or Firefox):

So what could STLToday do to make this a lot more secure?

  1. Well they could not use javascript for one and simply have the backend read the user's information and the content type, but I suspect that their CMS isn't setup to do this and it's probably something they licensed so they can't make any changes to it, which explains the drop-in solution.
  2. They could also make their site faster (a good idea anyway) but one could still figure out a way to inject my script before their's runs.
  3. They could not rely on a meta tag for content tagging and instead ping back to the server to request the content type (premium vs free). This could still be bypassed by spoofing the server's response to your browser, but it would be a lot harder to write a script like the one I did earlier. This is probably a good enough solution, but if they still can't figure out how to write a server-side response on their CMS it can't happen.
  4. They could just not care. I very much doubt that they will see a lot of "digital subscriptions" and those that would be interested probably aren't the type to know what a User Script is or follow me on Twitter.