Legacy.com: How to 'Restore the Guest Book' for free

November 10, 2017 in Hacking
https://rchase.com/static/img/candle.jpeg

Step 1

Take a look at the locked guestbook URL and make note of the number after ‘pid=’: http://www.legacy.com/obituaries/nwitimes/obituary.aspx?n=jerilyn-kay-klemz-jeri&pid=149005836

Step 2

In the link used in the example, the pid is 149005836. Now construct the free guestbook link by entering the firstname, lastname, and pid into this link:

http://www.legacy.com/obituaries/name/Firstname-Lastname-obituary?pid=PID-from-previous-link&view=guestbook

So in my example, the free link becomes:

http://www.legacy.com/obituaries/name/Jerilyn-Klemz-obituary?pid=149005836&view=guestbook

That’s it.

*This is not illegal or stealing. After talking to Legacy.com they acknowledged that the free guestbook is accessible this way and said they have plans to remove the guestbook fees from all places on the website in the future.

From: [email protected] [mailto:[email protected]] On Behalf Of [email protected]
Sent: Friday, November 10, 2017 12:19 PM
To: [email protected]
Subject: Re: Guestbook able to be viewed without paying for "restore"

Hi Reilly,

Thank you again for this feedback.  Most of our papers are using an improved Guest Book product we started offering a few years ago, where Guest Books are always open and always free.  

We're working hard to get all of our partners over to that version, but not all papers are there yet.  It is a top priority of our company to get everyone over to this free and open version as quickly as possible. 

We're continually closing that gap and are always happy to open individual Guest Books whenever contacted in the meantime.

Please let us know if we can be of any further assistance.

Kind regards,

Will Hayes
Support & Solutions Supervisor
Legacy.com
[email protected] 

Addenda

I was feeling down the other day, missing some people in my life who have passed away. I wanted to be able to read the comments others had left on the obituary at Legacy.com but was surprised to find a checkout proccess instead. $79.99 for permanent restore or $29.99 for one year restore. I thought, well that’s total bullshit.

Now, I understand that Legacy.com is a business, and they have to make money in order to pay for web hosting and other expenses. Apparently they also manually review and filter guestbook entries. Basically, if the guestbook entry doesn’t have something positive to say about the person, they reject it. Which, I agree has some value if it filters trolls and people just trying to cause trouble for the deceased’s family, but I think it goes to far when filtering legitimate feedback from close family members. Take this for example

“Reading the obit, he sounds like he was a great father,” says another, which is signed, “His son Peter.”

Why should that be filtered? If Hitler had an obituary on Legacy.com, and his son left him a shitty guestbook entry, should that be filtered? Well, we wouldn’t want to offend anyone who might have liked Hitler so yeah, right? Anyways, that is a whole other topic.

So, I understand that manually reviewing guestbook entires can be expensive, and although I don’t agree with the fact that they filter legitimate negative feedback from close family members, I realize that the service has a purpose and is mostly for the best. But I still can’t agree with charging people who are greiving just so they can read the comments on the obituary. There has to be a more caring monetization strategy than that.

I thought about paying for it, and I had no problem spending the money, it was worth it to me (of course, how could anyone put a price on something like this, which is also what makes it kind of wrong to begin with), but because I was morally opposed to the idea of it, I decided to poke around a bit to see if I could get it for free instead. I went back and right-clicked, view page source.

I was hoping the full comments were readable in the source, but unfortunately they weren’t. So I thought of another idea, I took the quote from the parital guestbook entry and searched it on Google to see if the full version existed somewhere else online. That is how I found the “free” guestbook page with full comments, no checkout process.

Because the “free” guestbook was clearly newer and better designed, I figured that the developers had accidentally exposed it, so I reluctantly reported it to Legacy.com on Twitter as a bug.

Twitter

Emails with Legacy.com

From: [email protected] [mailto:[email protected]] On Behalf Of [email protected]
Sent: Friday, November 10, 2017 12:19 PM
To: [email protected]
Subject: Re: Guestbook able to be viewed without paying for "restore"

Hi Reilly,

Thank you again for this feedback.  Most of our papers are using an improved Guest Book product we started offering a few years ago, where Guest Books are always open and always free.  

We're working hard to get all of our partners over to that version, but not all papers are there yet.  It is a top priority of our company to get everyone over to this free and open version as quickly as possible. 

We're continually closing that gap and are always happy to open individual Guest Books whenever contacted in the meantime.

Please let us know if we can be of any further assistance.

Kind regards,

Will Hayes
Support & Solutions Supervisor
Legacy.com
[email protected] 



Original message:


Interesting. So the newspaper is the one choosing to require payment to unlock a guestbook, even though Legacy is providing the guestbook for free? 
So when a payment is made, is it the newspaper taking a portion or all of the proceeds, or does that go to Legacy?
It just seems exploitative to charge for something that is freely available, especially given the context.


Thanks,
Reilly Chase
760 622-7756
https://rchase.com


-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of [email protected]
Sent: Thursday, November 9, 2017 1:09 PM
To: [email protected]
Subject: Re: Guestbook able to be viewed without paying for "restore"

Hi Reilly,

Thanks for bringing this to our attention. 

We host the obituary content on the websites of many newspapers across the country.  Each newspaper determines their own configuration of how their
obituaries and Guest Books are displayed and archived.   

However, we also centralize and display much of this information directly through Legacy.com for free.

Many of our newspapers use a format where the Guest Book is free on their sites as well, however there are some that choose other configurations, and we agree this can lead to confusion.  We're continually working with our newspaper partners to move towards a consistent experience no matter where Guest Books are accessed.

We're also always happy to place complimentary sponsorships on these books.

Please let us know if we can be of any further assistance at this time.

Kind regards,

Will Hayes
Support & Solutions Supervisor
Legacy.com
[email protected] 



Original message:


Hi,

Just talked to you guys on Twitter: https://twitter.com/_rchase_



It looks like I found a bug. There is a way to view the Guestbook, and even sign it, without paying for the restore.



Here is an example, my Grandmother's obituary which the Guestbook is expired
for:



http://www.legacy.com/obituaries/nwitimes/obituary.aspx?n=jerilyn-kay-klemz-
jeri
<http://www.legacy.com/obituaries/nwitimes/obituary.aspx?n=jerilyn-kay-klemz
-jeri&pid=149005836> &pid=149005836



If I take that PID from the URL above and plug it into this URL below, I can view and sign the guestbook:



http://www.legacy.com/obituaries/name/larry-klemz-obituary?pid=149005836
<http://www.legacy.com/obituaries/name/larry-klemz-obituary?pid=149005836&vi
ew=guestbook> &view=guestbook



The bug works for all obituaries that I've tested.





Reilly Chase

760 622-7756

https://rchase.com

In the end, Legacy.com customer support acknowledged the bug, and recommended for people to use the free guestbook pages. They were quick to respond, caring (unlocked this guestbook for free for me), and actually seem to be a decent group of people despite their strange and seemingly exploitative business model.

Subscribe for updates

comments powered by Disqus

Latest Posts

IoT Hacking: Momentum IP Camera - Penetration Test Report
Apr 23, 2018
IoT Hacking: Momentum IP Camera - Penetration Test Report
Read More
IoT Hacking: Momentum IP Camera - Custom Firmware
Apr 13, 2018
IoT Hacking: Momentum IP Camera - Custom Firmware
Read More
IoT Hacking: Momentum IP Camera - Getting Root
Apr 12, 2018
IoT Hacking: Momentum IP Camera - Getting Root
Read More