neverblog.net

A colleague and I recently discovered a massive security flaw in ESPN360.com’s browser checking functions. According to the website, you must have a particular cable provider, such as Adelphia, in order to use ESPN360. However, the page only uses a simple variable, affiliate, to determine whether or not your ISP is one that contracts with ESPN. This is easily visible via the source code, which shows a link of the following if you do not have the proper ISP: http://static.espn.go.com/broadband/ebb2/360SiteRedesignStaging/index9.html?affiliate=nonaffiliate

Now, anyone with a modicum of web programming experience will immediately plug the following into a browser: http://static.espn.go.com/broadband/ebb2/360SiteRedesignStaging/index9.html?affiliate=affiliate

Note here how we’ve changed the status from ‘nonaffiliate’ to ‘affiliate.’ This shouldn’t work. It couldn’t possibly work. But it does. That’s it. The entire check is a simple variable that you can pass through the URL.

I would like to point out that I do not advocate using this to receive a free service to which you are not entitled. I myself have a cable provider included on the list, but the ISP I use is separate and provided by work, meaning that it shows up as ‘nonaffiliate.’ As a subscriber to that cable provider (and their internet service at home), I am entitled to download the software there anyway. Finally, I have reported this flaw to ESPN360.com in order to allow them to fix it.

RE-Update: As of Wednesday, we found out that simply holding the ‘ctrl’ key while loading the link above avoids any and all of the security protections. Happy free online sports viewing (esp. the World Cup, boys and girls! Out-of-date-update: As of Monday night, ESPN updated their ESPN360.com page to run with Flash. I wrote an open letter to ESPN protesting the fact that I have to convince my ISP to buy something from ESPN. Read it and sign the petition here.
espn 360