Is your website leaking paid content for free?

More and more websites are switching towards a freemium model, where part of the content, typically some basic one, is provided for free to the visitor, in order to tease her/him to subscribe and get the full content, that is instead released upon some form of payment.

According to a recent search of Reuters Institute from Oxford University (UK), run over 6 EU countries and 171 news organisations, approximately 66% of the online newspapers are using a freemium model.

How does the freemium model work for online newspapers?

Typically, an online newspaper would provide the most important or generic articles completely for free, anyway more specific or technical articles will be only disclosed to subscribed users, upon a payment.

The next picture shows a classic example of such mechanism, from Le Figaro newspaper:

An article is displayed to a visitor only for the first few lines, and then the text fades into white until a block, typically called the paywall, reminds the user to make a subscription and pay, in order to get the full content.

This is key for the newspaper's business model, as one of the main way journalists, content, hardware infrastructure and any other bill can be paid, allowing the newspaper to exist and be profitable for the future.

Therefore, for any website and specifically online newspaper using a Freemium content, it is extremely important to ensure that the full content can only be reached by converted readers, that is users who already paid the subscription.

I have recently decided, out of curiosity, to perform an analysis over some newspapers and magazines with freemium model, to check whether their paid content is definitely only accessible by subscribed paying users.

In most of the cases, I have been able to see that actually the only way to get the paid content for an user is definitely by subscribing and paying for it, and that is great as such websites can make money in the way their business model is meant to be.

Anyway, I have been able to find, even though only in some isolated cases, newspaper websites where unfortunately the paid content can be easily accessed, without particular skills, completely for free, and without the website company being able to easily quantify what percentage of the users can access their paid content without actually paying.

It goes without saying, that this can be a deal breaker for the freemium business model, as paid content which can be easily leaked for free, would eventually, over time, make companies gain smaller than expected or even no money, leading then the business to be not profitable anymore, forcing a company to close or expensively pivot to other business models.

In my analysis, using a browser like Chrome and its embedded Developer Tools, I have been able, in some cases, to access the paid content, completely for free, within a matter of few clicks and through simple UI elements manipulation.

With further investigation, I came to realise that this is due to a poor implementation of the freemium model: instead of providing the full content only to subscribed users, which could access it only once been through a classic secured authentication mechanism (as everywhere on the internet, nowadays), the full content is already delivered to any visitor of the article page, and it is metaphorically "covered" by some UI elements, whose removal / deletion / modification through UI manipulation, will result into showing the full content and letting the visitor get the full content for free.

As such manipulation happens on the browser's side of a page that is downloaded on the user's computer, it is very hard or impossible for the newspaper to quantify how many users are accessing their paid content for free.

What can be done to avoid this situation? The IT Team behind a freemium website or newspaper should always take care of:

1. Making sure that the paid content is only reachable once a subscribed paying user has logged in;
2. Testing the accessibility of their paid contend by unsubscribed user.

The first point should be a mandatory feature for any freemium website, whose testing should be part of any round of testing of the website (either by manual or automated testing).

The second part is, in my honest opinion, a new challenge that should be placed between functional and penetration / security testing, as it consists into testing that, manipulating the UI elements of a certain page, exploits cannot be created, which could result into obtaining paid content for free, or using certain Javascript functions that were not meant to be accessed or used by website visitors, with consequence that are hard to imagine and may be much worse than just grabbing content for free.

In conclusion, I believe that a new type of security testing should be added, on top of what is already done, while testing websites, consisting into verifying that, through UI elements manipulation, no harm can be done to the website itself or the business model of the company behind it. This phase should also involve frontend developers, that can help design and create meaningful test cases, to deliver a safe and robust website.