Game of Throne’s? First Ticketing Problems Emerge

The rulers of the realm have shifted allegiances, part of the “Burning Man 2.0” that BMOrg are constructing around the Burning Man Project and their future plans. Burning Man have ditched their long-term ticketing provider InTicketing, going instead for Ticketfly. We reported on this a month ago, with bold statements from the Ticketfly founder along the lines that he built Burning Man’s original ticketing system and they are ready for all the modifications required by BMOrg. Our prediction was don’t be surprised if things go pear-shaped, and it seems that they have, already.

Yesterday we received reports that some Burners were having difficulty with the Directed Group Sale. Burner Peter said:

Looks like the BMorg may have a mess on their hands once again. “directed group sale” pre-reg codes are being rejected on the ticketing page.

It seems he wasn’t the only one having problems. More than 25 Burners commented about problems they were having at the Ticket Support Page:

Finally got into the ticketfly “Waiting Room” after 20 mins. I think that “Invalid Promo Code” could also mean “Our servers can’t handle the requests”. Page refreshes every 30 seconds. We’ll see what happens…

Same here… says my Promo Code is invalid. Tried cutting and pasting… tried typing… tried just using the link with the embedded promo code. It’s broke.

…Same. Got booted out after 17 minutes. Still having my code pop up as invalid.

…Me too. Said my code was invalid before I even entered it, as soon as the page loaded. Emailed the tickets people. Hang in there, everyone.—:-}>

…Same thing is being experienced by everyone in my group that’s registered. I already received this response from ticket support but I disagree that this is the issue because I’m still seeing the same error after following the advice:

Frog replied:

Hi there,

Your code is valid until it is used, so don’t worry. I think you’re experiencing a browser caching problem. Please clear your browser cache in your preferences and shift+reload the page. That should clear it up!

Sorry for the inconvenience.

Sincerely, Frog | Burning Man Tickets 

…Got into the waiting room for 14 minutes, then kicked out. I’m back to banging on the “Enter Directed Group Sale” button. I’ve tried emptying my browser cache but that doesn’t seem to help. I think that ticketfly just gets overloaded and periodically barfs everybody out. Are we the guinea pigs for another year of ticket fiascos?

…Our “lead” group member got tickets, but no one else in the group has been able to. I’ve tried different browsers, different computers, different codes, still says invalid.

…Hang in there all……..I kept trying and have just now been successful. Didn’t need to clear cache, change browsers…………just keep entering your code and apparently it will go through sooner or later.

…Got kicked out again but finally got to the ticket page. Need to open a ticketfly account to buy the tix!

…I also, finally, got tickets. For me, restarting my computer seemed to work; got right in.

…Resolved after a refresh, clean cache, re-login. See you @ home

…One of the things that I tried before finally getting in was, signing in separately into my burning man profile; then pressing the buy tickets through my profile. Going directly thru my link didn’t seem to work at all.

Then, a Burner who we’ll codename Noah [ xkeyscore 1e51718d4660bf843e302fe4385c8a57fab921990ccc5e6aa4a28174b465b3b4 ] contacted us to point out a glaring security flaw that you don’t have to be a hacker to exploit. We agreed with him to wait before publishing to give Ticketfly and BMOrg a chance to correct the flaw.

noahs narkI discovered the glitch by accident and was kind of shocked.  Anyone with an unused DG sale code could easily stage it so they could buy as many tickets as they want. 

This isn’t anything moderately fancy like a SQLi or a sslstrip attack — this is as trivial as a ‘hack’ gets.

———- Forwarded message ———-
Date: Wed, Feb 12, 2014 at 1:16 PM
Subject: Security Vulnerability: Unlimited buying of Direct Group Sale Burning Man Tickets Possible (FULL DISCLOSURE)
To: ticketsupport@burningman.comsupport@ticketfly.com
Hello,
 I am a Burner and also an information security architect, penetration tester/certified security auditor, and avid hacker.   I discovered, by accident, a vulnerability in the Directed Group sale that allows individuals to potentially buy unlimited sets of tickets if they are aware.  I am sharing this information under the doctrine of “Full Disclosure” in Information Security.  I am conducting a partial disclosure to you right now so this may be fixed before it is exploited.
 The issue is that the promo code is only marked as “used” once the transaction is completed.  If a user had many browser windows open refreshing the page, the user’s code will be accepted by the initial browser code validation.  They can then proceed to register a new ticketfly account and purchase as many tickets as browser windows they had open.  A malicious entity aware of this could potentially buy as many Directed Group Sale tickets as they want by loading many browser windows, some on remote servers or via VPNs to obfuscate the IP addresses,  and processing transactions until they have tickets.    Given the ease of discovering this vulnerability it’s very likely someone may have already tried to do this.   
My suggested remedy is to include a server-side validation of the Group Sale code in each stage of the ticket purchasing process, checking for double-use of the tag via a boolean column in the database backend; or some similar other means.

 

Basically, you can re-use the code to open a whole bunch of browser windows, then commit the transactions. The test of “if code has been used” is performed before opening the windows, but the code is not checked again, and is not marked as used until the completion of the transaction.

Some people couldn’t even get into the system, and even when they managed to, legitimate codes were being rejected; meanwhile, others could buy an unlimited amount of tickets from a single code, just by opening a bunch of browser windows.

Ticketfly and BMOrg scrambled to patch some bugs in the Ticketing system, although we don’t know if they’ve fixed everything in the 30 minutes that they spent on it. From the official Burning Man blog:

Rebecca Throne, Ticket Manager for BMOrg

Rebecca Throne, Ticket Manager for BMOrg

During the Directed Group ticket sale earlier today we encountered a technical issue on the Burning Man side of the operation. Our new ticket vendor, Ticketfly, worked with us to quickly identify and isolate the issue and then developed, tested and deployed a solution. The entire process took about 30 minutes.

During this time, inquiries to the Burning Man ticketing support desk skyrocketed with participants concerned they would not be able to purchase tickets. With the help of Ticketfly’s support team we were able to reply to and help all of those who contacted us.

We want to acknowledge and appreciate Ticketfly’s instant response to this situation. Their troubleshooting, quick thinking, and problem-solving allowed the sale to get back on track quickly and everything is now running smoothly.

Rebecca Throne
Ticket Operations Manager
Burning Man

Which prompted an amusing and enlightening response from Tikor, one I’m inclined to take at face value:

This is very interesting. I have a question perhaps you can help me with. Over the last few years, our camp made a decent profit from reselling tickets. This sort depended on things not running smoothly – what are the chances that Ticketfly is actually just ass, and things will be as normal this year?

Fast forward to now. Have the holes been plugged? Problems fixed? Please share your experiences with the ticketing system, Burners.

5 comments on “Game of Throne’s? First Ticketing Problems Emerge

  1. I’m going to do something I wouldn’t imagine I’d be doing- defending BMOrg ticket processes. I did encounter some minor issues (said pre-registration was closed when it shouldn’t have been). With that said, I received an email confirming they received my issue and then I received a note saying there were issues and they went ahead and did it on my behalf.

    I think the real issue is the trust lost from 2 years ago… the actual purchase of the tickets took me approximately 1 minute and was a breeze. But I was extra nervous, skeptical, etc. given the debacles of year’s past.

    So, yes, I thought the process involved an unnecessary step (pre-register for the pre-sale ??) and some glitches, but in the end I thought it was handled MUCH better than year’s past. Improvement is a good thing!

    Like

  2. Gathered from other theme camp organizers I’ve spoken to, those that were the inviters, or lead contacts, were able to buy tickets without problems, myself included. There seemed to be a problem for those that were invited to the sale by camp contacts. Not sure what the problem was exactly, but they did resolve it fairly quickly. Someone pointed out that in recent years they had to spend much, much more time in line to buy tickets. 30 minutes wasn’t so bad, in the grand scheme of things.

    Like

Share your thoughts with us

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s