Uh, Oh! New Yorker Fixes Paywall Privacy Glitch
Magazine resets passwords for subscribers who kept default settings.
The New Yorker subscribers got an unusual e-mail Wednesday explaining that the magazine had reset the passwords for those who never bothered to change the default user name/password they were assigned when they subscribed. Why? It turns out different default settings were needed to keep non-subscribers from being able to access the archive for free.
Here’s what happened: The New Yorker set the default usernames and passwords for subscribers to its digital edition and archive as that subscriber’s e-mail address. Sounds harmless enough, right? But according to a pair of reports from Flood Magazine, subscribers who were too bored/lazy/busy to change their default settings made their accounts vulnerable to being accessed by anyone who knows or could guess their e-mail address.
The New Yorker moved quickly to remediate the problem. Here’s a portion of the e-mail it sent to subscribers:
When you signed up for the digital edition, the default password for your account was your e-mail address (which is also your username).
If you never changed the default password, we reset your password and sent you a message with the new password this morning. We strongly recommend that you now change this password, if you have not already done so.
If you already changed your password, you can continue to use the digital edition with the password you created.
I’m not sure how much truth there is to this part of the supposed security flaw (in fact, I’m not even sure what the heck Flood Magazine is) but I can say one thing for certain: This is nutty. What average reader is going to go to all the trouble to pull up the paywall code and re-write part of it, or spend time plugging in the e-mails of friends and family members they think might be subscribers, all to gain free access to–what? The years-old long-form stories and cartoons in The New Yorker? You have to wonder why the tech-master coders at Flood were so intent on cracking this paywall code, and especially so long after the wall was erected. Also, you might wonder why publisher Condé Nast, or its paywall vendor, didn’t spot this vulnerability sooner.
I don’t mean to knock on The New Yorker too much here. It’s certainly one of the most well-regarded magazines (we all know it wins National Magazine Awards year after year after year) and it clearly took steps to fix the security glitch once it was brought to light. But come on. Shouldn’t we have better things to do than dig up ways to scale The New Yorker wall?