Wednesday, March 23, 2005

Scam free books through Google Print

Amateur programmer Greg Duffy recently pulled off a neat trick - he "baked" Google Print's cookies (in other words, tooled with them so they were giving back false information), so as to access a lot more PDF pages of random books through their service
than a visitor is supposed to be allowed to - the entire book sometimes, in fact. This is cool in a geeky way itself, but then at the end of his post he throws up this tidbit, almost as an afterthought: "I could view an entire book on Google Print with one click every time. I later modified the software to spit out a PDF of the book." If I'm reading this correctly, he was basically collecting up all the loose pages of a book, then stitching them together in PDF and outputting it as a standalone book. Pretty impressive, I think, considering that a PDF copy of a book is pretty much the next-best thing to actually owning a paper copy.

For what it's worth, Mr. Duffy claims to have done it because he wants a job at Google, and he figured how better to get their attention than to exploit an actual weakness of their system. His post has the full technical explanation of how he did it, for techies who are interested; be warned, however, that Google has already patched the hole that was allowing this to originally take place. (Thanks to if:blog for pointing this out.)

UPDATE, 2:30 PM: Mr. Duffy just wrote! He doesn't have a Blogger account, so instead emailed his comments to me; I thought I'd go ahead and run them as part of this entry:

"Hi Jason,

"I don't have a blogger account, so I'll just send this over email:


"- the hole is not patched, the exploit still works
"- I originally contacted Google about this 5 months before I posted the article, and since they ceased contact after the t-shirt bit I decided it was OK to publish

"And another, more personal nit pick (no hard feelings): I'm not an amateur, take a look at my resume :)

"Thanks for the link!"

My response: Oops, sorry for the 'amateur' wording in this original post. I just meant that you're not working for Google or any of their major competitors, is all. Thanks for the updated information, Greg!