Non-secure HTTP referer authentification on Pressreader and Europress

When I signed up for my city's online library services, I discovered a strange way of authenticating users when redirected to the pressreader.com or europresse.com site.

PressReader.com - Digital Newspaper & Magazine Subscriptions
Digital newsstand featuring 7000+ of the world’s most popular newspapers & magazines. Enjoy unlimited reading on up to 5 devices with 7-day free trial.

When I was using the pressreader.com service through my school, the site was running through a reverse proxy called Ezproxy. Thus, the authentication of the user was ensured by the school site, and it is the proxy which then carries out the authentication towards Pressreader.

When I registered on my city's website, I discovered that there is no use of reverse proxy at all. The user is directly redirected to the official Pressreader site. This intrigued me and I tried to figure out how the authentication works. I later discovered that many online libraries in France use this system.

You can find out about all the establishments that use Pressreader directly on their website:

In the authentification menu, you can login using external establishments
Write a city to find out which institutions use the platform

If the library you select does not redirect to an authentication page, chances are there is no protection in place to verify authentication at the Pressreader level.

In fact, there are 4 different possible authentification method offer by pressreader. The most interesting one is the URL referrer method. Because to be configure we only need have the URL of the librairy.

Authentification methods offer by Pressreader in 2016 (https://tiketti.koha-suomi.fi/attachments/download/1327/Etakayttovaihtoehdot.pdf)

This URL Referrer is also describe in their Help Center FAQ.
Why is this problematic ?

The Referer header allows a server to identify referring pages that people are visiting from or where requested resources are being used. Source

The referer header is automaticaly added by the client browser. It simply means that the user comes from a previous site. But not that the user is authenticated on the previous site.


Presentation of an example with the libraries of Brest. With a quick search on Google you can find the libraries that offer Pressreader and Europresse. Some of them use the referrer authentification.

When search for "pressreader" and "europress" google returns services that offer both products

When on the website, to access to Pressreader you are required to login. But if you were to connect to it, there should simply be a redirect button to Pressreader.

(I don't have account on brest metrople, but the behaviour is identical to my local library 🙂)

Let's edit any HTML anchor <a> by yours:

Added custom link to pressreader.com on the brest metropole website

If you click on the link, you will be redirected to Pressreader. A popup appears, indicated that you have logged in. You can now access the Pressreader kiosk without being authenticated.

Tada! You are authenticated as coming from the metropolis website, so you have access to the kiosk content for free.

If we lookup in the network menu of the dev tools, we can see that authentification is only done using the HTTP Referer (or Referrer). The authentication cookie is when set in the HTTP response.


Bonus: Create your own revert proxy to bypass authentification on Pressreader. I made the example using apache2 configuration:

Important point in the configuration:

  • ProxyPassReverseCookieDomain: Cookie authentification must be correctly configured
  • RequestHeader, AddOutputFilterByType, Substitute: Because some Javascript make request to pressreader.com API, we need to edit the html page return by the server. We update the value in html <base> in order to configure url call with our custom FQDN.
  • RequestHeader: Custom the referer to authenticate from a library.

In this article, I focused on Pressreader, but everything works the same for Europresse.

Europresse
Diffusion d’information de presse sur Internet