Today I’ll share a fun story with you. Would you like to get free publicity? Go ahead and make a poor friendly URL implementation, like the Finnish Broadcasting Corporation, or YLE – the national broadcasting company of Finland – did.
YLE had a very naive friendly URL algorithm on their web site. As you may guess, people found out about it, hilarity and poor publicity for YLE ensued, and finally YLE got to tell everyone how hackers abused their URL algorithms – except they forgot to tell everyone it was very much their own fault.
The story begins
YLE, Yleisradio, or in english, the Finnish Broadcasting Company, is a finnish government-owned company which runs several TV and radio channels in Finland. They air various boring programs I don’t watch or care about (and Monk), but putting introductions aside, let’s start the story.
As you probably know, various sites use “friendly” URLs. Like in this blog, the URLs display the title of the post you’re reading, such as how-to-get-free-publicity-… and so on.
As all the cool kids on the block, when their site was redesigned, YLE got their very own short URLs and all was well.
That is, until evil hackers discovered their naive, sloppy implementation.
The shit hits the fan
Each news item on YLE’s website had a part of its title in the URL – such as yle.fi/uutiset/talous_ja_politiikka/2009/09/news_title_goes_here_984690.html
By abusing the naive URL algorithm, anyone could change the news item title to anything they wanted. As you may guess, a popular approach was to fine-tune various titles to make them quite offending – such as changing the title of an article about the immigrant housing problem to indicate that the immigrants were being sent to gas chambers.
This went on for quite a while. I’m not sure how long it was – maybe even a year or more – until YLE figured it out. Various links with altered titles circulated on IRC and popular finnish websites.
The “hack” itself was childishly simple: Like in the example URL earlier, if you just changed the title but left the numbers in the end intact, the link would still point to the expected article.
Obviously this made YLE look bad, afterall not everyone knew it was possible to alter the URLs, and many people thought YLE was writing racist article titles and so on.
Oh I know, let’s blame friendly URLs!
When YLE finally found out about the problem, they posted an article on their website, claiming this was the “downside of friendly URLs”.
The article said – multiple times – that this was all caused because they had decided to make a user-friendly website with friendly URLs. Obviously there was no way to display a friendly URL that you can’t modify, but which would still point to the correct article if its title changed later.
In the end, YLE had received a lot of questionable fame, especially on the internet. They seemed to finally have discovered a way to make friendly non-modifiable URLs, but their original claims seem rather funny at this point.
Holes like this, and many worse ones, have been a major issue on many big finnish websites. In writing this, I’m hoping some more people read about them, and learn to take measures against issues like this.
All in all, this was a funny episode. However, this was not the first time there was a fault in YLE’s site – some years back, during the finnish presidential election, there was another and even more amusing hole in their systems, but I’ll leave that for another time if you want to hear it – so leave a comment if you do.