June 19, 2006
Musings
No Comments
In a move that seems to have occurred rather coincidentally to my recent post about a security flaw on espn360.com, which was also reported on Armenian Eagle’s blog, ESPN just debuted a new Flash-based player. Took about 12 hours, but the new player seems to lock out us ‘bad eggs’ a little better than the last one. Here’s some interesting text from ESPN’s site:
I have the ESPN360 application already installed. Can I still use it towatch videos?
You are one of the lucky users of ESPN. Although your ESPN360 application has been disabled, you can continue to enjoy ESPN360 content and more using the newvideo player. To improve performance and usability the installed version of 360will no longer be used. Once your subscriber clicks on the prompt the downloadableapplication will automatically be removed from their desktop and replaced witha shortcut taking them to the new web-based player.
Heh. Heh. Lucky users…
There’s also news about a 30-day free period for everyone starting on June 26th. That’s after the US plays Ghana in the World Cup June 26th, but what the hell. I can’t believe they also disabled the app–there’s nothing wrong with its security checking anyways. Well, it was a fun afternoon of grainy soccer. Unless I’m wrong, and I’m just seeing this because I’m now at home on my cable modem. Hmmmmm…
UPDATE: And…..their security still sucks. Just try the same link, http://static.espn.go.com/broadband/ebb2/360SiteRedesignStaging/index9.html?affiliate=affiliate, but make sure to block popups and refresh a couple of times if you don’t get in at first.
Tags: ESPN, ESPN360, espn360.com, Flash-based, security
June 19, 2006
Musings
No Comments
A colleague and I recently discovered a massive security flaw in ESPN360.com’s browser checking functions. According to the website, you must have a particular cable provider, such as Adelphia, in order to use ESPN360. However, the page only uses a simple variable, affiliate, to determine whether or not your ISP is one that contracts with ESPN. This is easily visible via the source code, which shows a link of the following if you do not have the proper ISP: http://static.espn.go.com/broadband/ebb2/360SiteRedesignStaging/index9.html?affiliate=nonaffiliate
Now, anyone with a modicum of web programming experience will immediately plug the following into a browser: http://static.espn.go.com/broadband/ebb2/360SiteRedesignStaging/index9.html?affiliate=affiliate
Note here how we’ve changed the status from ‘nonaffiliate’ to ‘affiliate.’ This shouldn’t work. It couldn’t possibly work. But it does. That’s it. The entire check is a simple variable that you can pass through the URL.
I would like to point out that I do not advocate using this to receive a free service to which you are not entitled. I myself have a cable provider included on the list, but the ISP I use is separate and provided by work, meaning that it shows up as ‘nonaffiliate.’ As a subscriber to that cable provider (and their internet service at home), I am entitled to download the software there anyway. Finally, I have reported this flaw to ESPN360.com in order to allow them to fix it.
RE-Update: As of Wednesday, we found out that simply holding the ‘ctrl’ key while loading the link above avoids any and all of the security protections. Happy free online sports viewing (esp. the World Cup, boys and girls! Out-of-date-update: As of Monday night, ESPN updated their ESPN360.com page to run with Flash. I wrote an open letter to ESPN protesting the fact that I have to convince my ISP to buy something from ESPN. Read it and sign the petition here.
espn 360
Tags: Adelphia, cable provider, ESPN, ESPN 360, ESPN360, espn360.com, flaw, ISP, security, World Cup
