For some reason, I’ve managed to find exploits in software. As such, this page contains detailed explanations on how the exploits I’ve found work, and how companies can patch out the exploits.
If I do come across exploits in software, I will notify the company. If no response is received within 90 days, the details of the exploit will be posted here. Otherwise, if a response is received within 90 days, I will wait for up to 180 days for the exploit to be patched before posting the details of the exploit here. If the exploit patch takes under 180 days, once everything is patched, I’ll release the details here. The same goes for if the exploit patch takes over 180 days – I will post the exploit details here on the 181st day since the company started working on the patch.
(of course, this will probably never happen – I very, very rarely stumble across exploits, usually as a side effect of developing stuff)
“Free Fonts” Exploit:
Found: January 2014
Description: Users can download paid fonts for free, by going into inspect element and finding .woff/.woff2 fonts commonly used for previewing the font, and convert it over to .ttf/.otf for their own usage.
Behavior:
Most paid fonts websites have a test drive function, in which users can test fonts before buying them.
There’s a known exploit that users can get a font without paying for them, by finding the source .woff/.woff2 files that are used for the font previews.
The process for finding these fonts goes as such (for Chrome/Firefox):
- Right click -> inspect element
- Navigate to the sources tab
- Find the .woff/.woff2 files, usually by going through all the folders or searching for “woff”
- Download the .woff/.woff2 files (Chrome/Firefox preview the files so that a user could make sure it’s the paid font they want)
- Convert the .woff/.woff2 files into .ttf/.otf, download the converted version.
- User installs the converted files on their computer, and they have the font without paying for it.
Correcting:
To correct this exploit, paid font websites would need to implement a different way of previewing paid fonts.
The most secure way to correct this exploit is via dynamically generated images for the font previews. When a user is previewing the font, on a backend server, it would generate a preview with the paid font and display it as an image. This ensures that there are no .woff/.woff2 files on the website, and the problem is solved.
Solving the issue by having .woff/.woff2 files on an external server does not fix the issue. Anyone could still search through source code files for “woff”, and find the source of the .woff/.woff2 fonts. Yes, this does make things a bit harder, but it isn’t foolproof.
Effects:
When this exploit was discovered in 2014, most, if not all paid font websites were vulnerable to this exploit. Since then, a large number of paid font sites have patched this exploit, but some paid font sites haven’t patched this.
Disclosure:
I did not properly disclose this exploit to paid font websites. I was a lot younger at the time of finding this exploit.