Numerade is hosting shadow library textbooks on public Google Drive links
Numerade's undocumented API exposes their entire textbook catalog. The books are stored on Google Drive with public access, and some appear to come from shadow libraries. Any registered user can retrieve them.
After building numerade-bypass, I kept poking at Numerade's infrastructure. The video paywall was one thing. What I found next was worse.
Numerade has an entire textbook library. Thousands of books, stored on Google Drive with "anyone with the link" sharing enabled, served through undocumented API endpoints. Some of these books come from legitimate sources like LibreTexts. Others appear to come from shadow libraries. Numerade is hosting pirated textbooks on their own infrastructure, behind a paywall, and charging students to access them.
The irony is suffocating. A company that profits from educational content behind a subscription is itself sourcing material from the same shadow libraries that exist specifically because education shouldn't be paywalled.
The catalog endpoint
Numerade has a public endpoint that returns their entire textbook database. No authentication required:
GET https://www.numerade.com/search/whiletype_database/
This returns every book they have, along with topics and curriculum metadata. No API key, no session cookie, nothing. Anyone can hit this and get the full catalog. The response includes book IDs, titles, authors, cover images, and category data.
Getting the actual PDFs
The books themselves require authentication, but not in the way you'd expect. You don't need a premium account. You just need any Numerade account. The flow:
- Log in to Numerade (free account works)
- POST to
/api/v1/user/bookswith a book ID to add it to your library - GET
/api/v1/user/books?format=jsonto retrieve your library - The response includes a
pdfUrlfield pointing to a Google Drive link
That's it. The "premium" gate is a frontend check. The API doesn't enforce subscription tiers for textbook access. Any authenticated user can add any book and get the download link.
The Google Drive situation
The PDF URLs point to Google Drive files shared with "anyone with the link" access. Once you have the URL, you don't even need a Numerade account anymore. The link works for anyone, forever, with no expiration or access control.
const response = await fetch('/api/v1/user/books?format=json', {
headers: {
'Cookie': `sessionid=${session}; csrftoken=${csrf}`,
'X-CSRFToken': csrf
}
});
const data = await response.json();
const pdfUrl = data.results.find(b => b.id === bookId)?.pdfUrl;
// pdfUrl = "https://drive.google.com/file/d/..."
// public, no auth, no expiration
This is the same pattern as the video bypass. Numerade's security model is "hide the URL behind a login form." The actual resources have no access control.
The bigger issue
I don't care that Numerade has textbooks. I care about the combination of hosting books from shadow libraries, wrapping them in a paywall, and calling it a premium feature. Shadow libraries exist because people believe educational materials should be freely accessible. Taking that content and charging for it is the opposite of that principle.
It's also just bad security. An unauthenticated endpoint exposes the entire catalog. Any registered user can access the PDFs. The files sit on Google Drive with public sharing. There's no signed URL, no expiration, no access tier enforcement on the API. The premium paywall is a CSS overlay on a publicly accessible resource.
This is the same company whose video CDN was wide open on S3. The pattern is very consistent. Put content behind a frontend gate, assume nobody will look at the network tab, charge money for the privilege of not looking.
Code
The full project: github.com/GooglyBlox/free-numerade-textbooks
Documented API endpoints: GitHub Gist