Comment by lakerz16
2 years ago
I hate TM and ridiculous fees as much as anyone, but this article is overly hyperbolic.
There's a section named "Pirating Tickets", that just explains how to re-create a barcode that you already paid for. You're not using this to rob anyone of anything.
And at the end, "Have fun refactoring your ticket verification system". Why? There are no vulnerabilities here. A rotating barcode (even if following a known pattern) is still more secure than a static barcode on a piece of paper.
Piracy here just means you can use it to sell your ticket without using their platform, which is analogous to just sending someone the PDF or handing over the piece of paper as always.
While this has the upside of breaking you free from TM's obnoxious practices, it also obviously opens up for scalpers and all.
Scalping is still possible without understanding the tech - you could just stream a video of the bar codes and sell the stream instead of selling the ticket.
The whole point of their system isn't to eliminate the possibility entirely it's to make it impractical to get around for the vast majority of concert-goers, and it clearly succeeds at this.
Recording the ticket with a video is everyone's first thought at defeating their restriction, and is no doubt the first thing they thought of when designing it. Hence, the codes expiring too quickly that you'll need a new video before you get through the line at the entrance of the venue. And messing with videos in a pressured line of people in front of a bouncer, is, as others have said, simply not practical for the vast majority of cases.
So it's kind of irrelevant - practically speaking - that it is possible.
Good luck getting enough signal to play a video stream in a large crowd.
3 replies →
Piracy here means that you can sell 50k tickets to the same seat with a real valid rotating barcode.
Are you sure you understood the article? The token is supposed to be a secret and the TOTP generation should happen remotely. This is not the case and this suggest a fundamental lack of security practices at the company.
"Should happen remotely" – according to who? What is the security risk for the end-user?
"this suggest a fundamental lack of security practices at the company" – that's a stretch of a conclusion to make. You're being as hyperbolic as the original post.
What didn't I understand about the article? This still offers a slight increase in security over static barcodes, without introducing any new vulnerabilities.
> This still offers a slight increase in security over static barcodes, without introducing any new vulnerabilities
It offers nothing to the user, except taking away their rights, and making it all unreliable
> the TOTP generation should happen remotely.
It says that it is available offline (if you've viewed it in the last 20 hours), so the TOTP generation can't happen remotely
Well it's more like the "security: they want is fundamentally is incompatible with support for ofline use in this case (as long as we have open computing platforms anyway).
Which would increase the problem he described--too many people trying to get in overloading the local bandwidth.
It's enough to defeat screenshotting and the 20 hour bit would defeat large scale malicious use.
Not good security but probably good enough, especially in stopping the resale of stolen tickets.
It's piracy in a way that's analogous to ripping like Netflix content. You are breaking away from DRM which is piracy. They also cite the potential to have multiple tokens valid per one ticket which would let multiple people get in with the same ticket.
I doubt the second bit is true - they will still be marking the ticket as used in their backend.
They are just trying to prevent scalpers printing off tickets 10 times and selling them outside the venues as a scam, which happened at every large concert I have ever been to until recently (so I assume this is working!).
You would hope... But they often run the scanners in offline mode (e.g. at temporary / seasonal events) so there can be lag in the backends being updated.
Heard from a friend who got straight into two events in the same city recently - they presumed the show was at one outdoor venue but the scanners let them straight in at the first (wrong) venue. Went to the correct venue and got in there without any issue too (this suggests one or both venues were offline or using offline scanners).
3 replies →
> they will still be marking the ticket as used in their backend.
I assume that's true, but it makes me wonder how their scanners are connected to the server.
I mean, if 10,000 people showing up to an event with smartphones overwhelms wireless networks, wont that also kick their scanners off the network?
They'd probably like to have a system where, if a scanner loses its connection, it can still validate tickets. It could store a copy of validated tickets locally, and upload it when the network connection is restored - that would mean a copied ticket would have to make sure they go to a different door/scanner. But it would allow copying.
11 replies →
I'd argue that a few extra people sneaking in on the same ticket (assuming this is even possible) is more like sharing your Netflix credentials than ripping Netflix content and having it be shareable with the entire world.
You're also walking into a stadium/concert in plain view of security cameras, so the stakes and deniability are different as well.
Not a lawyer, but "subverting DRM" (even if it's trivial or really stupidly designed) can be a crime in and of itself in the US under the DMCA. There are a bunch of exceptions to this, so I have no idea if OP's work is actually illegal.
2 replies →
It would be DRM if the barcode was copyrighted material, which it isn't.
The way this is already being exploited in the wild is that a scalper/scammer buys 1 ticket, then resells the same ticket multiple times. Multiple people believe they have a valid ticket, show up at the event, but only the 1st ticket works. The other people who try to use the ticket are turned away saying that their ticket has already been used.
> The way this is already being exploited in the wild is that a scalper/scammer buys 1 ticket, then resells the same ticket multiple times. Multiple people believe they have a valid ticket, show up at the event, but only the 1st ticket works. The other people who try to use the ticket are turned away saying that their ticket has already been used.
That is one of many ways this is already exploited in the wild.
Do you have a source for this? What platform are they selling multiple copies of the ticket through, and what app are the buyers using that allows multiple buyers to receive and show the same animated barcode?
This way you can sell and have the ticket completely off of ticketmaster. That is a vulnerability. It lets users do something they explicitly don't want to allow.
Assuming that you can actually do that.
If the seller re-opens the TM app and it generates a new token and invalidates the old one, then that's not the case.
Vulnerability to LN business practices. Not a system vulnerability.
He was basically wondering if he could create two tickets each with different tokens. Tokens are valid for 20 hours but it probably doesn’t invalidate the old token (e.g. a request for a new token makes it to the internet but due to congestion, the response never comes back to your phone before timing out) and this could trigger multiple tokens for the same ticket and are all valid.
Thank you for posting this. This article left me super unsatisfied too.