Security through obscurity, or how to listen Morning for free

This is a long one, I’ll likely split in two.

“Il Post” is an italian online newspaper to whom I have been subscribed for years. They also produce several podcast, some of which are for subscribers only, and can only be listened on the browser on desktop and on their app on mobile.

Their app used to be quite buggy: it often crashed, or sometimes it kept playing but without making any sound.

I wanted to listen to their podcasts but using my usual podcast app (podcast addicted on Android at the time), and therefore I decided to look into how the app got the list of episodes so that I could write a proxy that converted that in an RSS feed using my credentials somehow.

So I used Charles to check which requests the app made when loading the podcasts, and I found out that (on iOS) it first loaded a json configuration file.

That json not only had all the useful endpoints, but also some staging endpoints and even credentials. Even better: both staging and production endpoint were public, and staging even had their swagger docs still available!

This is not an issue per se, but it shed a lot of light on how production endpoint worked. I could easily get a list of all episodes of all podcasts, including the url for each episode, since they are simply mp3 files, and they are not protected behind credentials.

Already more than a year ago I told them that it was possible to retrieve singular episodes just by using some HTML information that was available to everyone, and they added some kind of security through obscurity since they just added a random number to the filename of each episode.

That’s it then: I found a way of listening to every episode without needing any kind of subscription or even authentication. Building an RSS feed would prove to be even easier!

That said, I kept looking into their API and their app, even using apk tools to look into the code of the app, and found another, more convoluted way of listening for free.