For some reason, I’ve managed to find exploits in software. As such, this page contains detailed explanations on how said exploits work, and how the company can patch the exploit.


“Free Fonts” Exploit:

Found: January 2014

Description: A user may be able to download paid fonts from a website. As a result, the user can use that font for anything he decides to.


On a paid fonts website, said websites usually have a “test drive” function, in which the user can test the font, before buying said font.

A user who would want said font, without paying, can follow this process to gain access to the font, using Chrome 56:

  • The user would right click on the website, and click “Source Code”.
  • The user would navigate to the Sources tab
  • The user would go through all the folders, until the user found .woff/.woff2 files.
  • The user would download those files, and use an online .woff/.woff2 to .ttf/.otf converter, and download the converted version.
  • The user would install the font on their computer, and as a result, effectively not paying for the font.

Each paid fonts website has a different setup for fonts. A user could also look through .html/.css/.js files, and find the URL for said .woff/.woff2 files.


To correct this exploit, paid font websites would need to implement a different way of previewing paid fonts.

The most secure way to correct this exploit is through images. A font website would instead use images to preview fonts, versus using the actual font.

As a result of correcting the exploit in this manner, the website has effectively stopped users from being able to download fonts for free.


A less secure way to fix this exploit is by using external servers to load fonts from. A website would store the sensitive .woff/.woff2 files on a separate web server.

However, as a result of employing this fix method, a user could still find the free fonts. A user could carefully scrutinize source code files (.html/.css/.js), and as a result, find the location of the font for downloading.


When this exploit was discovered in 2014, most, if not all paid font websites were vulnerable to this attack. Since then, a large number of paid font sites have patched this exploit. Yet, there are websites vulnerable to this exploit.


As a result of myself being much younger when I discovered this exploit, this exploit was not properly disclosed to paid font websites.