I made a TypeKit hack. Should I release it or not?

8 years ago from , Senior Software Engineer at Dollar Shave Club

I wrote this script that allows you retrieve all of the CSS with data URI's from any font specified from TypeKit. I want to open source it on GitHub, but I am uncertain of the repercussions of doing so.

The CSS produced is recompiled with the necessary attributes, and since everything is within a data URI, I believe the CSS is untraceable to that of TypeKit's.

The methods used to retrieve this data are obviously specific so I do consider it a hack, though the exact same methods are also used by your browser to load CSS and font faces.



  • Pete CorreiaPete Correia, 8 years ago

    Get in touch with Typekit and let them know about it. That's the right thing to do.

    8 points
  • Marc EdwardsMarc Edwards, 8 years ago (edited 8 years ago )

    I’d say no. What you may want to do is (nicely!) approach TypeKit and see if they're interested in your research. Some companies have bounties for finding security holes.

    I think publishing it publicly would be the wrong thing to do.

    7 points
  • Tyreil PTyreil P, 8 years ago

    Rather than circumventing their service and potentially hurting other designers, have you considered sharing this hack with TypeKit so they could patch it?

    6 points
    • , 8 years ago

      There is no patch for this, nor will there be unless they were to remove actual web font usage on the fonts page. I have considered sharing it with them, I think I will do that.

      1 point
      • Adrian CooneyAdrian Cooney, 8 years ago

        Are you sure Typekit's fonts aren't domain specific? I've never used the service but I'd imagine that would be my absolute first security concern if I was building it.

        0 points
  • Manik RatheeManik Rathee, 8 years ago

    I think this might fall on the wrong side of typekit - their service is paid so it can pay typographers, etc.

    This is essentially taking that away. You can say that people should only use it WITH a typekit subscription, but in reality people will use it to avoid paying anyway.

    Just my 2 cents.

    3 points
  • Joe TurnerJoe Turner, 8 years ago

    I think asking first was the right thing to do, and now giving it to TypeKit would also be the right thing to do... Your call.

    2 points
  • Ryhan HassanRyhan Hassan, 8 years ago

    Are there legitimate use cases for this? The only one I can think of is when I'm working on a site locally with typekit fonts without a local server, which is a hard sell given excellent free tools like Anvil.

    Otherwise, an easy to use script would simply encourage more people to pirate. Many will always find a way, but at least don't lead them to it.

    1 point
  • Dustin HoffmanDustin Hoffman, 8 years ago

    I also made the same using phantomjs and woff2sfnt, here is my repo: https://github.com/Breefield/typecatcher

    I wanted to write a native mac app which wrapped this so that TypeKit users could easily download their font-kits for use when designing in Photoshop/Fireworks and they didn't have the font files for their design.

    0 points
    • , 8 years ago

      Mine is all written with OOP in mind, and is then compiled all into one PHP file. It totals 265 lines (including logic, implementation, and templates). The API is so simple:

      $tk = new TypeKitHack(); $css = $tk->retrieve( $typeKitURL ); // returns the raw CSS needed

      0 points
      • Dustin HoffmanDustin Hoffman, 8 years ago

        Nice, sounds simpler and more modular than mine (mine was just a proof of concept + installation on a user's machine was important). Are you planning to bundle it with another project/service?

        0 points
  • Nick WNick W, 8 years ago

    So, this doesn't sound like a security breach in the traditional sense (ie. what news would report as a hack), just a flaw in their service akin to downloading a video off youtube or music off sound cloud. Am I right?

    0 points
  • Steven SarmientoSteven Sarmiento, 8 years ago (edited 8 years ago )

    Could there be any legal repercussions ?

    0 points