http://www.theage.com.au/news/national/2001/06/18/FFX85SO43OC.html By BARRY PARK Fairfax IT Monday 18 June 2001 Hacker group 2600 Australia today warned soft drink maker CocaCola Amatil to increase the security of online competitions after today publishing part of the process it says the company uses to verify competition entries. The group said it believed the Coke Music Auction was being "scammed" by people who knew the full algorithm used to verify codes printed on the side of Coke bottles. The codes are used to claim credits to bid on prizes at the Coke Music Auction website run in conjunction with portal Yahoo. Credits per bottle range from 100 for a 390mL bottle to 300 for a 2L bottle. Top bidding on the Coke Music Auction website earlier today was for a LG television package, with a bid of 462,050 credits the equivalent of more than 1500 twolitre Coke bottles. 2600 Australia member "Poppy", who discovered the flaw, said the proof of concept used to reveal part of the algorithm used to verify the codes had taken "two to three" hours to circumvent late last month. He said about 100 sample codes were gathered from bottles in a recycling bin at a fast food restaurant. The full algorithm could be worked out by anyone who had access to a larger number of bottles by substituting the letters in a valid code with its equivalent character, he said. If a substituted code was valid or had not been claimed before, the credits would be assigned to the registered user. Poppy said the Coke Music Auction website would lock a user out of the site for 25 hours if a registered user keyed in 15 invalid codes. He said he had "spoken to a few people who are doing it". The back end security of the online competition attracted his attention after he saw a large number of credits bid on items up for auction shortly after the competition started, he said. "CocaCola surely know by now that there is something seriously wrong with this competition," the posting on the 2600 Australia website says. Poppy said ideally he would like to see CocaCola Amatil re-run the competition, although he said that in reality all he could expect from the company was an apology to legitimate customers who missed out on prizes. CocaCola Amatil has been contacted for comment. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 02:20:38 PDT