Apple News+ desktop app flaw allows full download of magazines without subscription
Apple launched its new subscription service Apple News+ a couple of days ago. For just $9.99 a month, subscribers gain access to over 300 magazines and newspapers, including popular publications like Time, National Geographic, Forbes and Sports Illustrated. It turns out, subscribers aren’t the only ones that can access the rich database of News+.
It didn’t take long for Steve Troughton-Smith, a popular iOS and MacOS “tinkerer” to discover a pretty significant flaw with the way Apple’s service works on iMacs and MacBooks, MSPowerUser noticed.
The findings were shared by Steve on Twitter, including the end results that he achieved without much effort. What he noticed was that Apple News+ Magazines isn’t using Apple’s own FairPlay. FairPlay is a technology developed at Cupertino that offers DRM (digital rights management) tools that the company is using to protect copyrighted materials on its iTunes store. And while on your iPhone or iPad iOS severely limits the way you can tinker around with apps, when using the desktop version of News+ things are quite different.
The app was preloading pages from the PDF versions of magazines and storing them in the cache folder of macOS where they can easily be accessed and used to reconstruct the PDF itself. And while that’s valid for only the first few pages of each issue, Steve noticed that Apple News+ also downloads a list of all the pages with their unique URLs, which are hosted publicly and can, therefore, be accessed directly once you have the specific address. To save himself some effort, Steve wrote a basic script that goes through all the links and downloads the pages, which can then be easily combined into a PDF just like the one you’d get to read on the app.
As you can probably tell, none of that required any advanced hacking skills to accomplish, which raises the question of why hasn’t Apple taken measures to prevent people from doing it. Now, we can easily make a joke here about the tech savviness of Apple users, but the truth is that there are more than enough power users on Apple’s platforms for the “we didn’t think anyone will find out” argument to not hold up.
It’s likely that now that the rabbit is out of the hat, Apple will quickly find a way to patch the vulnerability. If it doesn’t, it won’t be long before other, shadier, services pop up, offering the same content for free. We won’t be surprised if all the issues currently available on Apple News+ are already stored on a third-party server. That’s not something Apple’s new partners will be happy with, we know that much.
Apple News+ was the first of the newly announced services that’s available for customers to try out, currently limited to the US and Canada only. The other two that were shown during the March 25 event: Apple Arcade, the new iOS gaming hub, and Apple TV+, where Apple exclusive shows and movies will be available alongside popular channels like HBO and Showtime, are destined to launch in Fall 2019. Hopefully, by then Apple would have had the time to prevent any issues that might spoil their launch.
The findings were shared by Steve on Twitter, including the end results that he achieved without much effort. What he noticed was that Apple News+ Magazines isn’t using Apple’s own FairPlay. FairPlay is a technology developed at Cupertino that offers DRM (digital rights management) tools that the company is using to protect copyrighted materials on its iTunes store. And while on your iPhone or iPad iOS severely limits the way you can tinker around with apps, when using the desktop version of News+ things are quite different.
A wide-open back door to the content on Apple News+
The app was preloading pages from the PDF versions of magazines and storing them in the cache folder of macOS where they can easily be accessed and used to reconstruct the PDF itself. And while that’s valid for only the first few pages of each issue, Steve noticed that Apple News+ also downloads a list of all the pages with their unique URLs, which are hosted publicly and can, therefore, be accessed directly once you have the specific address. To save himself some effort, Steve wrote a basic script that goes through all the links and downloads the pages, which can then be easily combined into a PDF just like the one you’d get to read on the app.
Text, pictures, all is there for your enjoyment
That’s not the first time subscription services have been circumvented and it probably won’t be the last. However, a company like Apple, which is famous for its tight security and protection of privacy and has plenty of experience with using copyrighted media, shouldn’t allow shenanigans like that with its services, especially ones that are just released and gathering subscribers.
A swift response can be expected from Apple
It’s likely that now that the rabbit is out of the hat, Apple will quickly find a way to patch the vulnerability. If it doesn’t, it won’t be long before other, shadier, services pop up, offering the same content for free. We won’t be surprised if all the issues currently available on Apple News+ are already stored on a third-party server. That’s not something Apple’s new partners will be happy with, we know that much.
Things that are NOT allowed: