iGOOD FOOD, BAD AUTHORISATION	null	(FALSE)	0
i	null	(FALSE)	0
i2024-07-19	null	(FALSE)	0
i	null	(FALSE)	0
iI was browsing (BBC) Good Food today when I noticed something I'd not seen	null	(FALSE)	0
ibefore: a "premium" recipe, available on their "app only":	null	(FALSE)	0
i	null	(FALSE)	0
IScreenshot showing recipes, one of which is labelled "App only" and "Premium".	/2024/07/bbc-good-food-app-only.jpg	danq.me	70
i	null	(FALSE)	0
iI clicked on the "premium" recipe and... it looked just like any other recipe.	null	(FALSE)	0
iI guess it's not actually restricted after all?	null	(FALSE)	0
i	null	(FALSE)	0
iJust out of curiosity, I fired up a more-vanilla web browser and tried to	null	(FALSE)	0
ivisit the same page. Now I saw an overlay and modal attempting (The fact that	null	(FALSE)	0
iI could literally see the original content behind the modal was a bit of a	null	(FALSE)	0
igiveaway that they'd only hidden it, not actually protected it in any way.) to	null	(FALSE)	0
irestrict access to the content:	null	(FALSE)	0
i	null	(FALSE)	0
IOverlay attempting to block content to the page beneath, saying "Try 1 year for just £9.99 and save 81%".	/2024/07/bbc-good-food-app-only-overlay-modal.png	danq.me	70
i	null	(FALSE)	0
iIt turns out their entire effort to restrict access to their premium	null	(FALSE)	0
icontent... is implemented in client-side JavaScript. Even when I did see the	null	(FALSE)	0
ioverlay and not get access to the recipe, all I needed to do was open my	null	(FALSE)	0
ibrowser's debugger and run document.body.classList.remove('tp-modal-open');	null	(FALSE)	0
ifor(el of document.querySelectorAll('.tp-modal, .tp-backdrop')) el.remove();	null	(FALSE)	0
iand all the restrictions were lifted.	null	(FALSE)	0
i	null	(FALSE)	0
iWhat a complete joke.	null	(FALSE)	0
i	null	(FALSE)	0
iWhy didn't I even have to write my JavaScript two-liner to get past the	null	(FALSE)	0
irestriction in my primary browser? Because I'm running privacy-protector	null	(FALSE)	0
iGhostery, and one of the services Ghostery blocks by-default is one called	null	(FALSE)	0
iPiano. Good Food uses Piano to segment their audience in your browser, but	null	(FALSE)	0
ithey haven't backed that by any, y'know, actual security so all of their	null	(FALSE)	0
icontent, "premium" or not, is available to anybody.	null	(FALSE)	0
i	null	(FALSE)	0
iI'm guessing that Immediate Media (who bought the BBC Good Food brand a while	null	(FALSE)	0
iback and have only just gotten around to stripping "BBC" out of the name) have	null	(FALSE)	0
idecided that an ad-supported model isn't working and have decided to monetise	null	(FALSE)	0
ithe site a little differently (I can see why they'd think that: personally, I	null	(FALSE)	0
ididn't even know there were ads on the site until I did the experiment above:	null	(FALSE)	0
iturns out I was already blocking them, too, along with any anti-ad-blocking	null	(FALSE)	0
iscripts that might have been running alongside.). Unfortunately, their attempt	null	(FALSE)	0
ito differentiate premium from regular content was sufficiently half-hearted	null	(FALSE)	0
ithat I barely noticed that, too, gliding through the paywall without even	null	(FALSE)	0
inoticing were it not for the fact that I wondered why there was a "premium"	null	(FALSE)	0
ibadge on some of their recipes.	null	(FALSE)	0
i	null	(FALSE)	0
IScreenshot from OpenSourceFood.com, circa 2007.	/2024/07/opensourcefood-archive-screenshot.jpg	danq.me	70
i	null	(FALSE)	0
iRecipes probably aren't considered a high-value target, of course. But I can	null	(FALSE)	0
itell you from experience that sometimes companies make basically this same	null	(FALSE)	0
imistake with much more-sensitive systems. The other year, for example, I	null	(FALSE)	0
idiscovered (and ethically disclosed) a fault in the implementation of the	null	(FALSE)	0
ilogin forms of a major UK mobile network that meant that two-factor	null	(FALSE)	0
iauthentication could be bypassed entirely from the client-side.	null	(FALSE)	0
i	null	(FALSE)	0
iThese kinds of security mistakes are increasingly common on the Web as we	null	(FALSE)	0
itrain developers to think about the front-end first (and	null	(FALSE)	0
isometimes, exclusively). We need to do better.	null	(FALSE)	0
i	null	(FALSE)	0
iLINKS	null	(FALSE)	0
i	null	(FALSE)	0
h(BBC) Good Food	URL:https://www.bbcgoodfood.com/	(FALSE)	0
hChargrilled Chicken Curry, an allegedly-'premium' recipe	URL:https://www.bbcgoodfood.com/premium/chargrilled-chicken-curry	(FALSE)	0
hGhostery	URL:https://www.ghostery.com/	(FALSE)	0
hImmediate Media	URL:https://www.immediate.co.uk/	(FALSE)	0
.