Nov. 22, 2013

North Korean Central News Agency (KCNA) server logs were protected by client-side JavaScript

Sat on this for a year, and figured it's time to publish. 

After a chance discovery of what appear to be KCNA's webserver logs in late 2012, I was able to perform an analysis and shed some light on the secretive North Korean news agency known to the world as  The media often quotes the source, analysts study their content, but until now -- no one on the outside knew exactly how big their web audience was.


Traffic Overview, Apr 2011 - Dec 2012

For the first eleven months of 2011, there was only a bare trickle of web traffic registering on the North Korean Central News Agency's website. Only about 600 people would visit the website daily, and perhaps click on four or five stories apiece. In terms of modern news site traffic, that's akin to cosmic background radiation being picked up by a Geiger counter: insignificant.

Then, in December of 2011, Kim Jong Il died. In the two weeks following his death, everything changed.  The world turned its gaze on North Korea, and by relative standards, the KCNA website traffic skyrocketed. Kim Jong Il's dying alone gave the KCNA a traffic boost it desperately needed. Pageviews in that brief period were nearly half of all their year's traffic.

Language Breakdown:
kor 341,163
chn 68,185
jpn 20,439
eng 38,489
spa 2,896

Media events cause public attention to fade away quickly and this was no exception. However, a peculiar thing happened. After the event, KCNA's baseline traffic levels rose to about 3,000 unique visitors per day - a five-fold increase, and it's been slowly but steadily growing.

After the April 13 test missile launch (second large spike), world again started paying attention to North Korea: KCNA is definitely gaining some traction.

There are five language editions: Korean, Chinese, Japanese, English and Spanish. Of that, 72% of their visitors read in Korean, 14% in Chinese, and the remaining languages comprise the remainder.

Security Hole

Often enough, a content management system's backend has a commonly predicted login URL, such as /admin/. Most such backends are entirely firewalled, or heavily fortified.  That initially appeared to be the case with KCNA: pulling up that URL returned you to where you came from after displaying a browser alert roughly saying "not allow" (at least according to Google Translate.)

However, if you opened the URL up in a new tab, you'd see this overview on the right after dismissing the alert() message - presumably a visitor log, with IP addresses, timestamps and language editions. Clicking into any of the links would tripwire the same security apparatus, and you'd get another alert box.

Not allow!KCNA.KP /admin/

Since the data scrape, the hole seems to have been patched by an actual firewall. However, it's bizarre that for years KCNA's reader privacy was essentially protected by a mechanism that nagged you into not looking around with a history.back() statement.  This was the source view of the /admin/ pages:


Think this part has to be spelled out: KCNA readers' IP addresses were exposed to the public.


Success Rate

Goals of any news agency are remarkably simple -- to report the news -- and to reach and grow audience.  How that's actually done is a constant struggle and constant adaptation, but the mark of success is also remarkably simple: growing audience into a loyal following, and with that, increasing outreach.

Despite having no external obstacles to their mission (such as active internet censorship by the west) the North Korean Central News Agency has largely failed to reach a significant web audience. Even with the two event jolts, KCNA web traffic is tiny: a bare trickle over the past years. However much money they're expending in the effort can't be justifiably worth it.

That's just my editorializing, but, at least it's based on on actual numbers. See for yourself.

Find this interesting, or useful? Consider sharing the post.

One response to “North Korean Central News Agency (KCNA) server logs were protected by client-side JavaScript”

  1. […] Writing on his blog, Dino Beslagic said he was able to access the site traffic data through a hidden interface page on the KCNA website. Rather than block off access with a firewall, the site allowed access to the page after simply acknowledged a pop-up window. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Posts on this blog solely represent my personal opinions and technical experience.

© 2009-2017 Edin (Dino) Beslagic