Scalpers used a security researcher’s findings to reverse engineer “non-transferable” digital tickets from Ticketmaster and AXS, allowing transfers outside of their apps. The solution was revealed in a lawsuit AXS filed in May against third-party brokers who adopted the practice. 404 Mediawhich first informed News.
The saga began in February when an anonymous security researcher went by the pseudonym Conduition. published technical details About how Ticketmaster created its e-tickets. If you’re not already familiar with how modern e-ticketing systems work, Ticketmaster and AXS lock down ticket resale on their platforms, preventing transfers across third-party services. SeatGeek and StubHub. (For higher priority events, they often take it a step further by prohibiting transfers to other accounts on the same platform.)
While the companies claim this practice is strictly a security measure, it gives them control over how and when their tickets are resold. (Yay, capitalism?)
Ticketmaster and AXS create “non-transferable” tickets using rotating barcodes that change every few seconds, preventing screenshots or printouts from being processed. On the back, it uses similar core technology two-factor authentication programs. Additionally, codes are only generated shortly before an event begins, limiting the window for sharing them outside of apps. Without third-party intervention, platforms connect ticket buyers to their sales services, giving them vertical control of the entire ecosystem.
This is where hackers come in. Using Conduition’s published findings, they extracted the platforms’ secret tokens that generated new tickets using an Android phone with Chrome browser connected to Chrome DevTools on a desktop computer. Using the tokens, they create a parallel ticketing infrastructure that restores the original barcodes on other platforms, allowing them to sell tickets that work on platforms that Ticketmaster and AXS don’t allow. Online reports claim that parallel tickets often work at the gates.
according to 404 Media, AXS’s lawsuit accuses the defendants of selling “fake” tickets (even though they usually work) to “unsuspecting customers.” The court documents allege that the parallel tickets were “created in whole or in part by one or more of the Defendants who illegally accessed the AXS Platform and then forged, imitated or copied the tickets.”
AXS’s lawsuit claims the company doesn’t know how the hackers did it. Ticketmaster’s promise of essentially jailbreaking is so lucrative that several brokers have sought to hire Conduition to help build their own parallel ticket-generating platforms. Services already operating based on the researcher’s findings go by names such as Secure.Tickets, Amosa App, Virtual Barcode Distribution and Verified-Ticket.com.
404 Mediaof the whole story is worth reading. The more technically minded may be interested in Conduition’s previous results, which show what ticketing is all about. they do on their rear ends for keep entire ecosystems in their folds.
