[ISN] Cola competition hacked

From: William Knowles (wkat_private)
Date: Tue Jun 19 2001 - 02:16:45 PDT

  • Next message: Robert G. Ferrell: "Re: [ISN] IT's hottest job? Security expert"

    http://www.theage.com.au/news/national/2001/06/18/FFX85SO43OC.html
    
    By BARRY PARK 
    Fairfax IT
    Monday 18 June 2001
    
    Hacker group 2600 Australia today warned soft drink maker CocaCola
    Amatil to increase the security of online competitions after today
    publishing part of the process it says the company uses to verify
    competition entries.
    
    The group said it believed the Coke Music Auction was being "scammed"
    by people who knew the full algorithm used to verify codes printed on
    the side of Coke bottles.
    
    The codes are used to claim credits to bid on prizes at the Coke Music
    Auction website run in conjunction with portal Yahoo. Credits per
    bottle range from 100 for a 390mL bottle to 300 for a 2L bottle.
    
    Top bidding on the Coke Music Auction website earlier today was for a
    LG television package, with a bid of 462,050 credits the equivalent of
    more than 1500 twolitre Coke bottles.
    
    2600 Australia member "Poppy", who discovered the flaw, said the proof
    of concept used to reveal part of the algorithm used to verify the
    codes had taken "two to three" hours to circumvent late last month.
    
    He said about 100 sample codes were gathered from bottles in a
    recycling bin at a fast food restaurant.
    
    The full algorithm could be worked out by anyone who had access to a
    larger number of bottles by substituting the letters in a valid code
    with its equivalent character, he said.
    
    If a substituted code was valid or had not been claimed before, the
    credits would be assigned to the registered user.
    
    Poppy said the Coke Music Auction website would lock a user out of the
    site for 25 hours if a registered user keyed in 15 invalid codes.
    
    He said he had "spoken to a few people who are doing it".
    
    The back end security of the online competition attracted his
    attention after he saw a large number of credits bid on items up for
    auction shortly after the competition started, he said.
    
    "CocaCola surely know by now that there is something seriously wrong
    with this competition," the posting on the 2600 Australia website
    says.
    
    Poppy said ideally he would like to see CocaCola Amatil re-run the
    competition, although he said that in reality all he could expect from
    the company was an apology to legitimate customers who missed out on
    prizes.
    
    CocaCola Amatil has been contacted for comment.
    
    
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 02:20:38 PDT