Marvel Digital Comics Unlimited security

This is something I discovered a few months ago but never got around to writing about here. Marvel Digital Comics Unlimited is a subscription service that allows one to read scanned versions of Marvel comic books online. The issues that one can read are never current with those on the shelves, but I suppose Marvel had to make some concessions to retailers.

It's a decent enough service, but the Flash applet used for reading the books in your web browser is nigh unusable. So just after Christmas I started working on a Firefox extension that would allow me to read the books in an offline reader like CDisplay.

In researching how the Flash applet communicated with Marvel's server, I discovered that although an authentication value was being passed with every request, it was being completely ignored. The upshot being that a request for an image file like http://www.marvel.com/dotcomics_issues/ASM093_1963/hi_res_col/02.jpg?stdi=ckfq35k8nfep915892v1nsift2dgr didn't actually require the "stdi" variable to be passed, effectively making every comic open to subscribers and non-subscribers alike.

I decided to inform Marvel, but I had no interest in wading through a phone tree trying to explain security vulnerabilities to receptionists. Unfortunately, Marvel's contact information page is fairly useless unless you want to book Spider-Man for your next corporate function. So I contacted Rich Johnston of Lying In The Gutters, a long-running comic book rumour column.

In the January 7th, 2008 edition of LITG (under "Marvel Comics Unpaid"), Rich reported my findings and asked Marvel for comments. Apparently they never responded, but the security hole was fixed that very day. My guess is that Marvel was aware of the issue but hadn't pushed a fix out to production yet. I know how that can go sometimes.

Anyway, the reason I got around to writing this is that I expect to have a proof-of-concept of my downloading utility later this week. It won't be a Firefox extension as I'd originally hoped, but I will try to make it as convenient as possible.