We recently discovered that Springer Nature -- the world’s largest academic book publisher and publisher of leading journals, including titles such as Scientific American, Macmillan, and Nature – had a misconfiguration which allowed anyone to download their books for free.
We contacted Springer Nature on March 14 to alert them of the issue and ask for comment, and they were able to fix the issue on March 15. On the same day, the Springer CyberSecurity Team thanked CyberNews for reporting the issue and asked us to show how to replicate the problem.
There were no technical steps required to test the misconfiguration. As proof of concept, we attempted to download A Brief History of Universities. The ebook version currently sells for $54.99 on Springer’s website.
We visited link.springer.com where users can buy PDF and EPUB books either individually or with a subscription.
When we clicked on the link, we were directed to the book’s sales page. We noticed that the download buttons were active:
We appeared to have the option to download either the PDF or EPUB versions of this book. We clicked on the PDF download button, and we were able to download it without registration or any payment made:
This issue seemed to have affected other books as well:
According to the company, Springer Nature is “the world’s largest academic book publisher, publisher of the world’s most influential journals and a pioneer in the field of open research.”
It currently has these popular brands:
- Scientific American
- Springer Nature
- Nature Research
- Palgrave Macmillan
- Macmillan Education
- Springer Healthcare
Springer Nature was formed in 2015, merging various publishers and journals Springer, founded in 1842, Macmillan, founded in 1843 and Nature, first published in 1869.
Springer Nature claims to have more than 275,000 books available in print and online, including 120,000+ scholarly book archives, more than 30,000 conference proceedings, and over 8,500 textbooks.
We have sent emails to the Springer Nature CyberSecurity team and Communications department to inquire how the issue happened, whether it was a human or technical error, and how long the issue was in place.
It is currently unclear how long the issue persisted and what the impact was. Since we have not received any information about this from Springer Nature, we cannot fully assess the size of the impact.
However, considering the amount of the books that the website holds, even one individual with basic technical knowledge would have been able to automate the downloads and download all the resources in a matter of hours.
The books on the website range in prices, with some costing more than $150:
With 22,705 books listed on Springer Link, and assuming a range of $50-$150 per book, the estimated loss range would be $1.1 million to $3.4 million.