Resellers have used a security researcher's findings to reverse engineer Ticketmaster and AXS's “non-transferable” digital tickets, allowing transfers outside of their apps. The workaround was revealed in a lawsuit AXS filed in May against third-party brokers who adopted the practice, according to the report. 404 Mediawhich first reported News.
The saga began in February when an anonymous security researcher, calling himself Conduition, Technical details published If you’re not already familiar with how modern e-ticketing systems work, Ticketmaster and AXS block ticket resales within their platforms, preventing transfers to third-party services like SeatGeek and StubHub. (For higher-priority events, they often go a step further and prohibit transfers to other accounts on the same platform.)
While the companies claim the practice is strictly a safety measure, it also allows them to conveniently control how and when their tickets are resold. (Long live capitalism?)
Ticketmaster and AXS create their “non-transferable” tickets using rotating barcodes that change every few seconds, preventing screenshots or printouts from working. On the back-end, it uses underlying technology similar to that of two-factor authentication apps. Additionally, the codes are only generated shortly before an event starts, limiting the window of time for sharing them outside of the apps. Without third-party interference, the platforms can lock ticket buyers into their own resale services, giving them top-down control of the entire ecosystem.
That’s where the hackers come in. Using findings published by Conduition, they mined the secret tokens from the platforms that generate new tickets, using an Android phone running its Chrome browser connected to Chrome DevTools on a desktop PC. Using the tokens, they created a parallel ticketing infrastructure that regenerates genuine barcodes on other platforms, allowing them to sell tickets that work on platforms that Ticketmaster and AXS don’t allow. Online reports claim that the parallel tickets often work at the gates.
According 404 MediaThe AXS lawsuit accuses the defendants of selling “counterfeit” (though usually working) tickets to “unsuspecting customers.” The court documents allegedly describe the parallel tickets as “created, in whole or in part, by one or more of the defendants who unlawfully accessed and then imitated, emulated, or copied tickets from the AXS platform.”
AXS’s lawsuit claims the company doesn’t know how the hackers do it. The promise of unblocking Ticketmaster is so lucrative that several intermediaries have tried to hire Conduition to help them build their own parallel ticketing platforms. Services already working with the researcher’s findings have names like Secure.Tickets, Amosa App, Virtual Barcode Distribution and Verified-Ticket.com.
404 Media's The whole story is worth readingMore technically-savvy people may be interested in Conduition's previous findings, which illustrate what the ticketing giants are doing. Doing on their rear ends to keep all ecosystems in its clutches.
