View at Picasa Scaffolding and work crews were everywhere.02-Jan-2004 17:31, EASTMAN KODAK COMPANY KODAK DX7440 ZOOM DIGITAL CAMERA, 5.6, 5.5mm, 0.001 sec, ISO 80	View at Picasa Monastery at Meteora. The wire is for the cable car that goes to the monastery.01-Jan-2004 20:21, EASTMAN KODAK COMPANY KODAK DX7440 ZOOM DIGITAL CAMERA, 4.8, 22.0mm, 0.002 sec, ISO 80	View at Picasa Roman ruins at Butrint, Albania.06-Jan-2004 23:21, EASTMAN KODAK COMPANY KODAK DX7440 ZOOM DIGITAL CAMERA, 3.4, 5.5mm, 0.004 sec, ISO 80	View at Picasa Closer view of a Meteora monastery and its cable car access.01-Jan-2004 20:27, EASTMAN KODAK COMPANY KODAK DX7440 ZOOM DIGITAL CAMERA, 4.0, 8.2mm, 0.003 sec, ISO 80	View at Picasa 01-Jan-2004 00:02, EASTMAN KODAK COMPANY KODAK DX7440 ZOOM DIGITAL CAMERA, 2.8, 5.5mm, 0.017 sec, ISO 140	View at Picasa neverblog.net: Now fast, like cheetah.	View at Picasa Tablet at Delphi. Translations welcome...01-Jan-2004 02:17, EASTMAN KODAK COMPANY KODAK DX7440 ZOOM DIGITAL CAMERA, 3.4, 5.5mm, 0.001 sec, ISO 80	View at Picasa	View at Picasa The Old Fort at Corfu Town.02-Jan-2004 06:41, EASTMAN KODAK COMPANY KODAK DX7440 ZOOM DIGITAL CAMERA, 4.0, 8.2mm, 0.003 sec, ISO 80	View at Picasa Meteora monastery.01-Jan-2004 21:02, EASTMAN KODAK COMPANY KODAK DX7440 ZOOM DIGITAL CAMERA, 4.8, 22.0mm, 0.004 sec, ISO 80	View at Picasa Greek beef.02-Jan-2004 03:57, EASTMAN KODAK COMPANY KODAK DX7440 ZOOM DIGITAL CAMERA, 3.4, 5.5mm, 0.001 sec, ISO 80

Huge security flaw on ESPN360.com allows anyone to watch World Cup games online

A colleague and I recently discovered a massive security flaw in ESPN360.com‘s browser checking functions. According to the website, you must have a particular cable provider, such as Adelphia, in order to use ESPN360. However, the page only uses a simple variable, affiliate, to determine whether or not your ISP is one that contracts with ESPN. This is easily visible via the source code, which shows a link of the following if you do not have the proper ISP: http://static.espn.go.com/broadband/ebb2/360SiteRedesignStaging/index9.html?affiliate=nonaffiliate

Now, anyone with a modicum of web programming experience will immediately plug the following into a browser: http://static.espn.go.com/broadband/ebb2/360SiteRedesignStaging/index9.html?affiliate=affiliate

Note here how we’ve changed the status from ‘nonaffiliate’ to ‘affiliate.’ This shouldn’t work. It couldn’t possibly work. But it does. That’s it. The entire check is a simple variable that you can pass through the URL.

I would like to point out that I do not advocate using this to receive a free service to which you are not entitled. I myself have a cable provider included on the list, but the ISP I use is separate and provided by work, meaning that it shows up as ‘nonaffiliate.’ As a subscriber to that cable provider (and their internet service at home), I am entitled to download the software there anyway. Finally, I have reported this flaw to ESPN360.com in order to allow them to fix it.

RE-Update: As of Wednesday, we found out that simply holding the ‘ctrl’ key while loading the link above avoids any and all of the security protections. Happy free online sports viewing (esp. the World Cup, boys and girls! Out-of-date-update: As of Monday night, ESPN updated their ESPN360.com page to run with Flash. I wrote an open letter to ESPN protesting the fact that I have to convince my ISP to buy something from ESPN. Read it and sign the petition here.
espn 360

Jun 19, 2006

Posted by Vasken
No comments

Musings
Adelphia, cable provider, ESPN, ESPN 360, ESPN360, espn360.com, flaw, ISP, security, World Cup

StackOverflow

Comments

No comments yet, be the first to add one!

neverblog.net

Huge security flaw on ESPN360.com allows anyone to watch World Cup games online

StackOverflow

Sponsored Links

Leave A Reply

Comments

Tags

Blogroll

Archives