[antfie]

The URL contains a JWT token which is a CWE-598 security weakness of the application. Reference: https://owasp.org/www-community/vulnerabilities/Information_....

[mooreds]

Haha, I know. As soon as I saw it, I decoded it and saw

   {
  "aud": "stratechery.passport.online",
  "azp": "HKLcS4DwShwP2YDKbfPWM1",
  "ent": {
    "uri": [
      "https://stratechery.com/2024/the-great-flattening/"
    ]
  },
  "exp": 1718188732,
  "iat": 1715596732,
  "iss": "https://api.passport.online/oauth",
  "scope": "feed:read article:read asset:read category:read entitlements",
  "sub": "WsrLyrr6qemVAgEGCjMm34",
  "use": "access"
  }

Not sure who user WsrLyrr6qemVAgEGCjMm34 is, but thanks for sharing the article with us all!

At first glance, looks like passport.online is a subscription management service: https://passport.online/

[docdeek]

Pretty sure that Passport is Ben Thompson's (of Stratechery) own subscription management service. Not sure it is out in the world as a product yet.

[glenjamin]

Given that the token says it only allows reading of content and assets of this particular article for 1 month, it seems like this is an intentional feature for allowing subscribers to share paywalled URLs

[frankthedog]

Indeed, the same mechanism is used by Bloomberg for gift links. A signed JWT with expiry 7 days from creation. A fitting use case in my opinion.

[flakiness]

I guess it's from newsletter's "share" link or something. This article itself isn't paywalled. https://stratechery.com/2024/the-great-flattening/

[ChrisArchitect]

Can we update the URL then? OP probably did that to get around that it was a dupe, already submitted. :/

[unraveller]

It's time locked so no one can later assess his hot takes with the clarity of time.

[davidgerard]

https://archive.ph/vRiew