The Security Behind MightyWords eMatter

Part 1: Overview of MightyWords System

By Dmitry Sklyarov
Edited by Planet eBook
February 19, 2002

Part 2

Recently we began examining MightyWords' eBook distribution system, and as a result found the system unusual and vulnerable in several ways. Initially we had plans to share our observations with MightyWords, but unfortunately it published a press release announcing it was ceasing operations. We waited until the eBooks were removed from the Internet to avoid harming authors whose books were distributed by MightyWords. Now we have decided to publish our findings because we think they will be interesting and edifying for the general public.

This article focuses on MightyWords' technology for the secure distribution of books "published" as PDF files. There are many companies that provide technology for secure distribution of eBooks, and many of them deal with PDF files -- a popular and widely supported standard for electronic document distribution. The MightyWords system makes a best effort attempt to lock the content without overly compromising the usability. This reader-centric content protection approach differs from that used by many of the other eBook retailers.

While MightyWords was still running it was a popular electronic publishing company that sold digital content -- what the company called ‘eMatter' -- securely over the Internet. The content, published and distributed as PDF files, could be read by users of Adobe Acrobat and Adobe Acrobat Reader.

Technical Background

PDF-based eBook content protection is usually based on encryption, as defined in PDF specification. MightyWords decided to not develop a new Security Handler, which is needed to process PDF encryption, and instead implemented security functions via standard facilities embedded in Adobe Acrobat Reader. There are not too many facilities to choose from. Actually, there is only one: Acrobat Forms with JavaScript.

It is necessary to note that Acrobat Reader has no ability to modify content of the PDF document. But, JavaScript allows one to perform some operations with Forms: hide, unhide, submit fields to the Internet and get a response.

We found that all eMatter was protected with the Standard Security Handler, which did not require a User password to open the document.

How MightyWords System Worked

The user would browse the site to select eMatter titles and when buying for the first time the user would be prompted to register, providing contact and credit card information, as well as a User ID (the user's email address) and a password.

After purchasing the first title, all they would have to do for future purchases would be to enter their User ID and password. And additionally MightyWords would build a user account with a Personal Library, purchase history and personal profile.

After the user read the user policy and clicked the submit button, the purchase would be processed and the user prompted to get the title.

If the user wanted the title immediately they could click the Get Title button and download the title to their computer. Alternatively, the user could wait and log on to their account and download it from their personal library at a later time.

MightyWords allowed a user to download the content as many times as the user wanted, however it had to be unlocked using a registered email address and password on each computer that the eMatter was opened on. This procedure was only required once on each new machine.

To read eMatter a user required Adobe Acrobat 4.0 or higher. No additional hardware or software was required other than an Internet connection to unlock eMatter on the first attempt to open it.

Using Acrobat Forms for Securing PDFs

When opening eMatter for the first time the actual content of the initial page flashed for a very short time, and then it immediately became covered with forms. All other pages were covered with white rectangles and were invisible.

To unlock the document the user's email address and password were required (established when first purchasing the eMatter). The user then clicked the "Logon" button and a JavaScript procedure (attached to the button) would send logon information to MightyWords server and wait for response. In case of a successful response, all forms (except small fields with the user's name and the MightyWords DRM version number at the bottom of each page) would be hidden and eMatter's content would become visible.

During this process some data was stored in the Acrobat JavaScript Global Variable area. This information is used to check if the document is already bounded to this computer on subsequent attempts to open it.

Problems with the security model

The security model described above worked reasonably well, but how secure was it? We found several flaws.

As already discussed, each piece of eMatter was protected with the Standard Security Handler. It is most likely that this protection was applied with the purpose of preventing the document from being edited in the full version of Acrobat. Since the Standard Security Handler is described in detail in the PDF specification, it is not a significant challenge to get a decrypted version of the eMatter. The full version of Acrobat could then be used to remove all forms and scripts from document.

There is another problem. JavaScript is an interpreted language. In other words, a program written in JavaScript is always stored in human readable form. After decrypting eMatter it would be very easy to get the source code of procedures used in protection mechanisms, to analyze that code and to then make modifications to bind eMatter to a computer without verification on the MightyWords server.

So, if someone had access to an eMatter file, no additional information or authorization would be necessary to get access to content.

Additional Security Problems

We identified some security-related issues regarding the configuration of the download area at MightyWords.

Each piece of eMatter on MightyWords site had a unique 6-chars identifier. For example, identifier for book "Making Sense of the C++ Pointer" was "MWBCBZ" (first two characters are abbreviation from "MightyWords").

There were several pages about each title available -- Summary, Free PDF Preview, Table of Contents, and a script generated Author Info -- and all pages. For example, the sample link here (now dead) would display a page with Free PDF Preview of the "Making Sense of the C++ Pointer" book.

http://www.mightywords.com/browse/
details_bc05.jsp?sku=MWBCBZ&private
Label=false&display=preview

From the Free PDF Preview page there was a link to a PDF file with a preview exists:

http://download-prod.mightywords.com/
MW/BC/MakingSenseoftheCP_
MWBCBZ_p.pdf.

After you paid for the title, you would get the following link to download full version of the eMatter:

http://download-prod.mightywords.com/
MW/BC/MakingSenseoftheCP_
MWBCBZ_e.pdf

The download links for preview and full version differed only by the last character before the extension -- ‘p' for preview and ‘e' for complete eMatter. So, an unauthorized user could download the full versions of any eMatter.

Part 2: Possible Solutions & Conclusion