Burning Man festival to cancel tickets of cheaters who used website hacks

Image of Burning Man effigy courtesy of John Chandler/Flickr - Creative Commons license

Burning Man ticket cheaters won't prosper.

Tickets for this year’s Burning Man festival in the Nevada desert are hot commodities, with over 80,000 people registering for the recent release of 40,000 tickets.

What started in 1986 as the burning of a wooden figure on a beach to celebrate the summer solstice has now grown to an annual event that attracts tens of thousands of people.

In the last few years, the event has become increasingly popular with the Silcon Valley set, with attendees including Larry Page, Sergey Brin, Elon Musk, Jeff Bezos and Mark Zuckerberg.

Unfortunately for thousands of fans who pre-registered to buy tickets but weren’t able to get through the online queue in time, a flaw in the ticketing website allowed some crafty hackers to game the system in order to jump to the front of the line.

After tickets for the event sold out in an hour last Wednesday, Burning Man acknowledged that some people had cut ahead of others unfairly when the online sale opened.

In a blog post the next day, Burning Man said about 200 people exploited a backdoor in the ticketing website to get to the front of the queue. It assured genuine ticket buyers that the organization was taking steps to address the problem by canceling the fraudulent ticket purchases.

The good news (for us, not them) is that we can track them down, and we’re going to cancel their orders. The tickets from those orders will be made available in the OMG Sale in August. Of course, steps are being taken to prevent this from happening again in future sales.

Burning Man organized the online sale as “first come, first served,” with a limit of two tickets per person, and required potential buyers to pre-register to receive an email with a link to access the ticketing site.

To manage the online sale of the 40,000 available tickets for the 2015 festival – at $390 a pop – Burning Man used the ticketing agency Ticketfly.

Yet, according to posters at the Burning Man page on Reddit, a few lines of JavaScript embedded in Ticketfly’s online queue revealed the URL of the site’s ‘waiting room’, allowing anyone who could read the code to jump ahead.

As reported by Wired, knowing the URL for the waiting room allowed people to purchase tickets ahead of the start of the sale at 12:00 p.m. PST – while everyone else had to wait until the start time and click a button to enter the queue.

The type of flaw that let the cheaters generate the waiting room URL is known as an insecure direct object reference, a coding vulnerability that allows an attacker to bypass authorization and access resources directly by modifying the value of a parameter.

In a similar flaw, Delta Airlines recently emailed flyers URLs to their boarding passes that could be manipulated to gain access to other people’s boarding passes.

E-commerce giant Alibaba made the kind same mistake in its AliExpress online retail portal; and the website for the UK Immobilise National Property Register made a similar snafu.

You can listen to a discussion on how to create URLs properly in our recent Chet Chat security podcast, featuring Sophos experts and Naked Security writers Chester Wisniewski and Paul Ducklin. [Relevant content runs from 9’47” – 12’50”]

(Audio player above not working? Download the MP3, or listen on Soundcloud.)

Another loophole in the Burning Man ticket website reported by Reddit users was less “hack” than a quirk in the system – apparently, some users who were in the queue and then re-clicked their emailed link were sent right to the purchasing page in another browser tab.

Burning Man also said it was investigating reports that people were able to jump the ticket purchasing queue by going through the Ticketfly homepage, and that some people were able to use codes to get around the limit of two tickets per person (which could enable ticket scalping/touting).

Even if you don’t think exploiting these loopholes constitutes “hacking,” it certainly gives those who know about them an advantage over everyone else – and that seems contrary to the spirit of inclusion that Burning Man says is part of its founding principles.

Burning Man insisted in its blog post that the ticketing system worked, despite the presence of some cheaters, noting the ticket site’s servers handled the crush of the 80,000 potential buyers without crashing or kicking people out of line.

Some commenters at the Burning Man blog suggested an alternative to the “first come, first served” method of ticket sales – a lottery where registrants are selected randomly.

That would remove the possibility of gaming the system and would be a lot more fair than the current system which rewards people with faster connection speeds, commenters said.

It sounds like a good idea – so long as the lottery is truly random.

Image of Burning Man effigy courtesy of John Chandler / Flickr Creative Commons.