Medill students find vulnerability in The New Yorker magazine’s paywall

Sean Lavery

Three Medill graduate students are generating buzz in the tech blogosphere with an article on their online magazine’s site that exposed compromising vulnerabilities in The New Yorker magazine’s paywall system.

Jesse Young, the tech brains of the three-man team, discovered a coding flaw in the system meant to protect content from non-subscribers. Young authored the first of two articles, “The New Yorker, or How Not to Set Up a Paywall, Part 1,” published on Oct. 19. One of his co-editors, Kevin Shalvey, wrote the second on Oct. 25.

Flood Magazine is the brainchild of Young, Shalvey and another one of their Medill classmates, Spencer Rinkus. The three started up the online publication as an independent study for course credit in July. It was meant to serve as a venue for experimenting with the kind of writing they weren’t getting to try in their graduate program, Rinkus said.

The magazine has centered its coverage on the convergence of technology and the future of journalism.

“We decided to focus on the media and technology,” Shalvey said. “Not just gadgets but the way people get information and how it’s evolving.”

Young’s discovery came from casually perusing script for the archive login of the The New Yorker, a magazine to which Rinkus said the three students already subscribed.

“It’s pretty common for web developers to look at other websites,” Young said. “It’s similar to writers and journalists looking at other writers’ work.”

He found that a few extra lines of code could circumvent the archive’s paywall, allowing anyone to access the content free of charge.

Paywall systems are gaining traction in online media as print products hemorrhage cash. The Wall Street Journal has made users pay for content since 2008. It has approximately 400,000 subscribers and benefits from readers who have the option of using their subscription as a business write-off. Last winter The New York Times announced it would be instituting a metered content system as well, beginning in January 2011.

Before publishing the paywall story, Flood Magazine editors reached out to The New Yorker about the coding flaw but received no response, according to Rinkus.

“We talked to Prof. Marcel Pacatte, who is the advisor for our magazine. He called the school lawyers, and we edited the story,” Young said.

The first story did not instruct readers explicitly on how to get around the paywall, but it did succeed in attracting the attention of a number of Internet tech personalities and media sites, many of whom have Twitter followings numbering in the hundreds of thousands, Rinkus said. cited the article as the “best tech writing of the week,” for the week ending Oct. 29.

Though they did not hear back from The New Yorker until this week, Rinkus said as paid subscribers to the magazine’s site, he and the other Flood Editors received a flurry of e-mails the day of publication.

“Every e-mail was kind of frantic,” Rinkus said. “In reaction to our article, we put up a bunch of upset tweets from New Yorker subscribers. Everyone was mad the passwords got changed. They e-mailed everyone new passwords, which isn’t secure. They just kept digging and digging.”

In the second installment of the series, Shalvey compared the discovery to Jon Lech Johansen’s exposure of DVD encryption weakness. But the students avoided specifics in the article to protect themselves from possible litigation, Young said.

The magazine website has steadily gained in popularity and has launched a sister site called Flood Lite. What began as an almost accidental discovery could give the publication the edge it needs as it seeks funding to sustain its future.

Young and Rinkus will be graduating at the end of this quarter but hope to continue working on the site remotely.

“We are happy to do it,” Rinkus said, “to create a space not a lot of people have explored, where writers write about technology and the state of journalism.”

[email protected]