Back in 2007 I discovered by accident that virtual goods sold on the large digital marketplace Clickbank were not protected properly from unauthorized access (see Clickbank we have a problem). Five years later, I'm going to find out if Clickbank has resolved the issues, and if other marketplaces or products are also improperly protected from third party access.
Before I start, I'd like to point out that downloading those products without having purchased them first is not legal. My main motivation for writing the article is to raise awareness for the issue.
If you look at the Clickbank order process, you will notice that payments are handled by Clickbank, but that the products are provided by the merchants on their sites. The big issue here is that customers do not need accounts to buy the products, and that this means that vendors cannot protect their download pages by locking out everyone who has not an account.
Two core issues come together here:
The process itself has not changed in the past five years. Clickbank suggests however that merchants run scripts on their Thank you Page that checks the validity of the page visitor. The company has started to pass along values, the cbreceipt value for instance, the proof of purchase value or the item number to the thank you page. Vendors can use scripting languages like PHP or Perl to verify the visitor before the download page is displayed.
Clickbank furthermore suggests to add a meta tag to the Thank You Page that protects it from getting indexed by search engine robots. (see Protecting Your Products)
The big issue here is that these are recommendations, and that many Clickbank vendors are not making use of them.
If you search for "CLKBANK Download instructions" or CLKBANK "save as" for instance, you will come up with dozens, if not hundreds of product Thank you pages. The verification script could protect the download pages, but most sites during tests did not have that implemented. If a Thank You Page is indexed, it is an indicator that the vendor has not implemented the meta tag, and it is therefor very likely that the verification script has not been implemented as well.
You will find some broken links there. Vendors often change their Thank You Page url when they notice that it has been leaked on the Internet.
Is Clickbank the only digital marketplace that is favoring ease of access over product security? No it is not. Warrior Special Offers, or WSO, is another merchant where this is happening. These products concentrate on the Internet Marketing niche. When you search for wso thank you you will again find dozens of results that point directly to product download pages.
Those two are not the only marketplaces where virtual goods are sold.
If you, as a vendor, are limited by the marketplace protection-wise, you might want to think about switching the marketplace. It is not always a feasible thing to do, especially if the marketplace you are using is the only big player in your niche. Clickbank vendors should implement the protection suggested by the marketplace to protect their goods from being indexed by search engines and downloaded by people who have not purchased them.
Similar options may or may not be available on other marketplaces.
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.