Reverse Engineering TicketMaster's Rotating Barcodes
July 12, 2024 1:46 AM Subscribe
"To those who designed this system, I say: Shame. Have fun refactoring your ticket verification system." Brilliant and quite simple reverse engineering of the infamous TicketMaster's Rotating Barcodes. Only need a web inspector, some python script and a shell to break the pseudo secure system.
Note the animated barcode, straight out of a Hollywood movie fake OS screen. It's a widespread trend for all so-called secure systems to display striking animations or messages emphasizing the "complex + slow = secure" aspect. For instance, there's often a screen-loading animation when we enter a password, even if the transaction takes milliseconds to complete. Or when I buy a transport ticket transport on an RFID card, I have to "wait while data is uploading to our card" whereas everything happens server-side and nothing is ever written on the card. Can you think of other fake UI that gives users a "sentiment" of security?
Note the animated barcode, straight out of a Hollywood movie fake OS screen. It's a widespread trend for all so-called secure systems to display striking animations or messages emphasizing the "complex + slow = secure" aspect. For instance, there's often a screen-loading animation when we enter a password, even if the transaction takes milliseconds to complete. Or when I buy a transport ticket transport on an RFID card, I have to "wait while data is uploading to our card" whereas everything happens server-side and nothing is ever written on the card. Can you think of other fake UI that gives users a "sentiment" of security?
Like eating a delicious little slice of chocolate velvet cake.
posted by lucidium at 3:27 AM on July 12 [2 favorites]
posted by lucidium at 3:27 AM on July 12 [2 favorites]
any news on when underground shows are going to get on board with ticketmaster?
posted by HearHere at 4:11 AM on July 12 [1 favorite]
posted by HearHere at 4:11 AM on July 12 [1 favorite]
Shame on you for abusing your talent to exclude the technologically-disadvantaged.
Shame on you for letting the marketing team dress this dark-pattern as a safety measure.
Shame on you for supporting a company with such cruel business practices.
(Good article, but it's a shame that he used white text on a black background. My eyes are now burning because of that style choice. I really wish that folks would instead use light gray text on a dark gray background if they insist on this weird style. In this case, he needs to go a bit darker gray with the text and lighter gray on the background. Or hey, just use black text on a white background like people should.)
posted by NoMich at 5:52 AM on July 12 [3 favorites]
Shame on you for letting the marketing team dress this dark-pattern as a safety measure.
Shame on you for supporting a company with such cruel business practices.
(Good article, but it's a shame that he used white text on a black background. My eyes are now burning because of that style choice. I really wish that folks would instead use light gray text on a dark gray background if they insist on this weird style. In this case, he needs to go a bit darker gray with the text and lighter gray on the background. Or hey, just use black text on a white background like people should.)
posted by NoMich at 5:52 AM on July 12 [3 favorites]
That animated barcode is weird and pointless. For LIRR tickets, the QR code keeps changing, which makes sense as it is being re-hashed using the current time. Much more secure, and works without cell service. It does require a phone and the MTA app, but, hey, it's the future. And you can still buy paper tickets if you want.
IIRC the shows I've gone to that use Ticketmaster e-tickets have allowed me to save them to my Google wallet to avoid shenanigans.
posted by grumpybear69 at 6:09 AM on July 12
IIRC the shows I've gone to that use Ticketmaster e-tickets have allowed me to save them to my Google wallet to avoid shenanigans.
posted by grumpybear69 at 6:09 AM on July 12
just use black text on a white background
A professional white background you might say.
posted by rhamphorhynchus at 6:27 AM on July 12 [4 favorites]
A professional white background you might say.
posted by rhamphorhynchus at 6:27 AM on July 12 [4 favorites]
Can you think of other fake UI that gives users a "sentiment" of security?
The TSA?
posted by signal at 6:55 AM on July 12 [5 favorites]
The TSA?
posted by signal at 6:55 AM on July 12 [5 favorites]
Fuck TicketMaster.
For reference, Google Wallet (and, I assume eventually, Apple Wallet since the two apps are always playing catchup to each other) supports rotating barcodes natively, in a way that doesn't require the ticket provider to pass the TOTP secret to the client and thus get sniffed like this.
Instead the TP hands the secret to Google directly on the backend, Google gives them an opaque reference to it, and then the TP embeds that reference in their webpage or app button that adds the ticket to Google Wallet.
The Wallet app then uses that reference to pull down the secret from Google's servers internally, in a way that I assume is difficult if not impossible for other apps to snoop, and generates the TOTP for the barcode.
I've used this feature personally and it works pretty well. I like keeping tickets offline in Google Wallet and vastly prefer it to installing a bunch of stupid random ticketing apps.
Anyway TM probably does want to force people to install their app so I'd be surprised if they ever do this integration, but they should if they want to actually be as evil as they hope to be.
posted by xthlc at 7:00 AM on July 12
For reference, Google Wallet (and, I assume eventually, Apple Wallet since the two apps are always playing catchup to each other) supports rotating barcodes natively, in a way that doesn't require the ticket provider to pass the TOTP secret to the client and thus get sniffed like this.
Instead the TP hands the secret to Google directly on the backend, Google gives them an opaque reference to it, and then the TP embeds that reference in their webpage or app button that adds the ticket to Google Wallet.
The Wallet app then uses that reference to pull down the secret from Google's servers internally, in a way that I assume is difficult if not impossible for other apps to snoop, and generates the TOTP for the barcode.
I've used this feature personally and it works pretty well. I like keeping tickets offline in Google Wallet and vastly prefer it to installing a bunch of stupid random ticketing apps.
Anyway TM probably does want to force people to install their app so I'd be surprised if they ever do this integration, but they should if they want to actually be as evil as they hope to be.
posted by xthlc at 7:00 AM on July 12
I remember when ticket scam security meant the tickets were printed on triple-layer paper... two outer sheets of white paper (on which the tix were printed), sandwiching a contrasting color paper (I remember it being red). This way, the buyer and the person accepting the ticket at the event could ensure it was a valid ticket by tearing a small corner of it to reveal the red paper inside!
posted by SoberHighland at 7:06 AM on July 12 [1 favorite]
posted by SoberHighland at 7:06 AM on July 12 [1 favorite]
The TSA.
Very recently, my wife returned home from a work trip via the airport. She unpacked her carry-on when she got home and found a large, metal box-cutter, complete with shiny, new razor blade that she had tossed into the bag before she left the work site. Not the flimsy plastic break-off razor type... the heavy-duty, metal kind that commercial contractors use. She had been using it to unpack various materials while working, and meant to return it to the co-worker she had borrowed it from at the job site, but had to leave in a hurry.
A box cutter.
posted by SoberHighland at 7:15 AM on July 12 [8 favorites]
Very recently, my wife returned home from a work trip via the airport. She unpacked her carry-on when she got home and found a large, metal box-cutter, complete with shiny, new razor blade that she had tossed into the bag before she left the work site. Not the flimsy plastic break-off razor type... the heavy-duty, metal kind that commercial contractors use. She had been using it to unpack various materials while working, and meant to return it to the co-worker she had borrowed it from at the job site, but had to leave in a hurry.
A box cutter.
posted by SoberHighland at 7:15 AM on July 12 [8 favorites]
Or when I buy a transport ticket transport on an RFID card, I have to "wait while data is uploading to our card" whereas everything happens server-side and nothing is ever written on the card.
I've never heard anyone adding those because "slow=secure". They add them because the number of back end systems that each front end system talks to numbers in the hundreds. Couldn't you do all that after the transaction has completed? Of course, but what if something messed up, and the info got to the customer but not the charging systems? That's executive horror.
posted by The_Vegetables at 7:21 AM on July 12 [1 favorite]
I've never heard anyone adding those because "slow=secure". They add them because the number of back end systems that each front end system talks to numbers in the hundreds. Couldn't you do all that after the transaction has completed? Of course, but what if something messed up, and the info got to the customer but not the charging systems? That's executive horror.
posted by The_Vegetables at 7:21 AM on July 12 [1 favorite]
…it's a shame that he used white text on a black background.
Reader view for the win, on the possibility you're unaware of its usefulness for this issue. I believe every modern browser has it build in at this point—I know for certain Safari and Firefox do, but not willing to install Chrome to confirm the rest. I agree, stark white on black is unpleasant, but reader view will let you customize background, font color, and size.
And it also often bypasses the less clever pay walls as an added bonus.
posted by los pantalones del muerte at 8:00 AM on July 12
Reader view for the win, on the possibility you're unaware of its usefulness for this issue. I believe every modern browser has it build in at this point—I know for certain Safari and Firefox do, but not willing to install Chrome to confirm the rest. I agree, stark white on black is unpleasant, but reader view will let you customize background, font color, and size.
And it also often bypasses the less clever pay walls as an added bonus.
posted by los pantalones del muerte at 8:00 AM on July 12
The default color scheme for every website in every browser since circa 2000 would seem to be a derail from talking about TicketMaster.
posted by one for the books at 8:18 AM on July 12 [4 favorites]
posted by one for the books at 8:18 AM on July 12 [4 favorites]
The QR code refreshes after a set amount of time, and the animation around it is to emphasize to users that taking a screenshot (something a huge portion of users try to do so they don’t have to login to the app again) wont work.
There are also popups that discourage this when you do it and literal text on the screen telling you not to take a screenshot. People still do it, over and over. And then get mad when it doesn’t work. Adding the animation cuts down on this behavior ~40% of the time.
How do i know this? I conducted several research studies around this exact issue, then tracked the data after the change went out. It’s dumb, sure, but it works. Nobody reads anything, especially when they’re waiting in line for something.
(And no, I didn’t work for TM)
posted by rosary at 8:18 AM on July 12 [6 favorites]
There are also popups that discourage this when you do it and literal text on the screen telling you not to take a screenshot. People still do it, over and over. And then get mad when it doesn’t work. Adding the animation cuts down on this behavior ~40% of the time.
How do i know this? I conducted several research studies around this exact issue, then tracked the data after the change went out. It’s dumb, sure, but it works. Nobody reads anything, especially when they’re waiting in line for something.
(And no, I didn’t work for TM)
posted by rosary at 8:18 AM on July 12 [6 favorites]
A classic tale of a fake UI:
Coinstar is a great example of this.posted by steveminutillo at 8:36 AM on July 12 [18 favorites]
The machine is able to calculate the total change deposited almost instantly. Yet, during testing the company learned that consumers did not trust the machines. Customers though it was impossible for a machine to count change accurately at such a high rate.
Faced with the issues of trust and preconceived expectations of necessary effort, the company began to rework the user experience.
The solution was fairly simple. The machine still counted at the same pace but displayed the results at a significantly slower rate. In fact, the sound of change working the way through the machine is just a recording that is played through a speaker.
Adding the animation cuts down on this behavior ~40% of the time.
I thought it also served as a backup for the venue staff to know if a ticket is a screenshot or not. I could easily doctor a cheap ticket into a good seat with a little bit of photo editing. If the usher asks to see the phone, it's a quick way to tell if the app is open and the seat is correct.
posted by JoeZydeco at 8:48 AM on July 12 [1 favorite]
I thought it also served as a backup for the venue staff to know if a ticket is a screenshot or not. I could easily doctor a cheap ticket into a good seat with a little bit of photo editing. If the usher asks to see the phone, it's a quick way to tell if the app is open and the seat is correct.
posted by JoeZydeco at 8:48 AM on July 12 [1 favorite]
I thought it also served as a backup for the venue staff to know if a ticket is a screenshot or not
Yep, you're exactly right
posted by rosary at 8:52 AM on July 12
Yep, you're exactly right
posted by rosary at 8:52 AM on July 12
That's not to diminish the work the original author did up above. Knowing it's a simple, extractable CSS animation makes it a lot easier to spoof the entire app now.
I use a ticketing app from my local commuter rail (the way to really fly!) and with a little bit of iOS programming one could easily make a fake app to show tickets. The only two components that are dynamic (in the interest of anti-counterfeiting) are easily retrieved by shoulder surfing another passenger moments before the conductor walks up.
posted by JoeZydeco at 9:54 AM on July 12
I use a ticketing app from my local commuter rail (the way to really fly!) and with a little bit of iOS programming one could easily make a fake app to show tickets. The only two components that are dynamic (in the interest of anti-counterfeiting) are easily retrieved by shoulder surfing another passenger moments before the conductor walks up.
posted by JoeZydeco at 9:54 AM on July 12
I am going to a show tonight and Ticketmaster handles that venue. I just hope my ticket isn't fuxxored by some clever kid...
posted by wenestvedt at 12:39 PM on July 12
posted by wenestvedt at 12:39 PM on July 12
For instance, there's often a screen-loading animation when we enter a password, even if the transaction takes milliseconds to complete
For passwords in particular, there are genuinely slower-and-more-secure algorithms! Being slow can be a feature for a password-hashing algorithm. If someone has a table of usernames and hashed passwords on one hand and a dictionary full of passwords to compare them against on the other, if hashing is very fast then they can check all of the combinations of users and passwords. But if hashing is very slow, then sad cybercriminal :-(
posted by a faded photo of their beloved at 1:29 PM on July 12
For passwords in particular, there are genuinely slower-and-more-secure algorithms! Being slow can be a feature for a password-hashing algorithm. If someone has a table of usernames and hashed passwords on one hand and a dictionary full of passwords to compare them against on the other, if hashing is very fast then they can check all of the combinations of users and passwords. But if hashing is very slow, then sad cybercriminal :-(
posted by a faded photo of their beloved at 1:29 PM on July 12
A small bit of Ticketmaster trivia: For a long time the core ticket allocation app was actually a custom kernel running on VAX hardware. Written in house. And running bare metal directly on the hardware, not using any of the VAX/VMS virtualization support.
If I understand correctly it was basically a single process with no threading.
The backstory I heard was a variant of “lead neck beard wanted it to be faster”
posted by alikins at 1:31 PM on July 12 [2 favorites]
If I understand correctly it was basically a single process with no threading.
The backstory I heard was a variant of “lead neck beard wanted it to be faster”
posted by alikins at 1:31 PM on July 12 [2 favorites]
I heard the VAX thing from a former TM employee I trust.
Other sources…
Hacker News
reddit.com/devops
posted by alikins at 1:44 PM on July 12
Other sources…
Hacker News
reddit.com/devops
posted by alikins at 1:44 PM on July 12
The TSA. … A box cutter.
If it makes you feel any better, the last time I flew (in March) the TSA dutifully confiscated a cheap waiter’s corkscrew I had forgotten about from my carryon.
posted by TedW at 1:58 PM on July 12
If it makes you feel any better, the last time I flew (in March) the TSA dutifully confiscated a cheap waiter’s corkscrew I had forgotten about from my carryon.
posted by TedW at 1:58 PM on July 12
A box cutter.
What’s the worse that can happen?
Oh yeah, thousands of deaths and kickstarting the final stage of at least one democracy.
posted by alikins at 2:16 PM on July 12
What’s the worse that can happen?
Oh yeah, thousands of deaths and kickstarting the final stage of at least one democracy.
posted by alikins at 2:16 PM on July 12
« Older Africa Fashion celebrates queer storytelling and... | All Correlations Are Bastards Newer »
That's Ticketmaster marketing from the FPP and it's hilarious.
posted by chavenet at 1:57 AM on July 12 [7 favorites]