Yesterday I opened a news article someone shared on Facebook which brought me to the website below. Notice the message box on top saying: “A subscriber shared this article so you can read it for free. Want to read more? Sign up and read 5 articles per month for free.” Because someone shared the article on Facebook I can read it for free. That’s interesting, because there are only a few ways for this site to know it’s a shared article, and most of those ways are easy to spoof / manipulate. Are we able to read more articles for free that are not shared…?
How does it work?
I can think of two ways this site knows I’m viewing a shared article:
- The link to the article is unique and specifically generated to be shared. By checking the unique part of the URL the website recognizes it as a free, shared article.
- The website checks which site I’m coming from. If it’s from Facebook, that must mean someone shared the article.
It is not option one, which can be checked by just looking at the URL. The URL contains only the article’s number and title, so no uniquely generated part. It must be option two: it checks where I’m coming from. If it’s from facebook.com (or twitter.com or any other social media site) it shows the article for free. There is a second requirement. If I open a different article (also shared), I’m still required to sign up. It remembers whether I’ve already seen a free article and only shows the first one for free. Again two scenarios:
- After I open the first article the website stores my IP inside a database. Every other link after that queries the database first. It only shows the full article if my IP is not in there yet.
- After opening the first article it stores a cookie in my browser and the next time it checks if that cookie already exists. If it does, it’s not free and I must sign up first.
The first option, saving IP addresses inside a database, is regularly the best way to go because IPs are harder to manipulate than cookies. I could change my IP address temporary by using a proxy, VPN or similar, but that’s a lot of hassle for reading an article. A cookie on the other hand is fairly easy to edit or remove as it is stored locally. The IP based way, option one, has a major downside: only one device in a network can see one article. That’s not very ideal in schools, workplaces etc that have shared IPs, and it’s probably not what this news site wants. I checked it and they indeed placed a cookie called ‘socialread’ with the article’s number as value (in my case 1118069; I confirmed it in Firefox by rightclick, View Page Info, Security, View Cookies).
Is this a reliable method to let people read only one (shared) article?
In short: no. As said, cookies are easy to manipulate. I used Cookie Manager+ for this in Firefox. This addon makes it possible to change every cookie that’s set in your browser. I was able to change the cookie ‘socialread’ to a different article number. Or even easier: just disable cookies at all, that way the site can’t even save the cookie and surprisingly it’s still showing articles for free. The news site isn’t confirming whether the cookie is actually set or not. (I won’t get into detail on how to disable or change cookies, but I can assure you, it’s really easy). The other check, if we’re coming from Facebook, was a little bit harder to spoof (but still not hard). Of course, with the cookie check bypassed, it is already possible to see more than one shared article. But if I want to see a certain article on this news website, I have to look it up on Facebook first and find where it’s shared. Not the most efficient way. Easier would be to just always act like we’re coming directly from Facebook, even if we’re not, to unlock all articles. The news site checks our history by the Referer header inside each request. If you’re for example visiting youtube.com from reddit.com, a lot of info is sent to youtube.com, including the exact URL you’re coming from. That last information is stored inside a header called ‘Referer’ and that’s the header you want to change to facebook.com. A way to do this automatically is by (again) using a Firefox addon. I used Modify Headers for this, but there are many addons available that can spoof headers.
Social media isn’t the only trigger that makes the full text available, it’s also when coming from Google. They probably did this to get a higher ranking in Google (so-called SEO). Instead of setting the default Referer to facebook.com, set it to google.com. There is no need to disable or edit cookies now, because not only the first article is free: as long as you’re from Google the full article will be visible. With these two methods (Referer spoofed and cookies disabled), it is possible to bypass all checks and read everything on the website for free. If they want to make it more difficult to bypass, they should go for an IP address based solution instead of cookies. If that’s too strict (only one device in a network seeing one article for free), they should reconsider if viewing one shared article for free is a great idea at all, because as far as I know there is no other way to make this work without being able to easily bypass it. There is no Facebook API available that confirms if a visitor is coming from a shared post. A different approach could be to put a share button on every page that generates a unique link on click. That results in only unique links being free, and just copy-pasting the article URL in a Facebook post does not. And that’s not very ideal either. Do you have another solution? I’m happy to hear it. Put it in the comments below or contact me by social media on top of this page! Also, if you liked it, please share it on social media, and you’ll be able to read everything for free on my site afterwards ;D