Engineers analyze the mechanism behind barcode-based e-tickets that don't work with screenshots



Concert and live tickets used to be printed on paper, but in recent years they have been increasingly digitized to prevent fraud and resale. American ticket sales service TicketMaster issues barcode-type electronic tickets that are updated every 15 seconds with a service called '

SafeTix ,' which claims to prevent ticket theft and copying. Engineer conduition reverse-engineered SafeTix and verified it.

Reverse Engineering TicketMaster's Rotating Barcodes (SafeTix)
https://conduition.io/coding/ticketmaster/

Conduition lists the advantages of analog tickets printed on paper as 'offline usability,' 'ability to use without a smartphone,' and 'ease of sharing with friends.'

Mr. Conduition said he purchased an e-ticket using SafeTix from TicketMaster in 2023. However, on the day of the event, the venue was very crowded, and mobile phone communications and Wi-Fi were overloaded, causing the network to crash, so he was unable to obtain the ticket barcode and had a lot of trouble getting in.

Despite these problems, TicketMaster is promoting SafeTix to prevent ticket counterfeiting and resale. SafeTix automatically updates the PDF417 barcode every 15 seconds, so even if you take a screenshot and print the barcode, it will immediately become invalid.



However, Conduition pointed out that TicketMaster's claim that 'tickets cannot be transferred outside of TicketMaster' is problematic in that they cannot be stored offline. Therefore, Conduition performed reverse engineering and technical analysis of SafeTix.

Conduition connected the Chrome browser on his Android smartphone to

the Chrome Developer Tools on his desktop PC and recorded the network request when loading TicketMaster's barcode viewer. He found that the response data of the POST request to the API endpoint /api/render-ticket/secure-barcode contained important information such as the device ID, ticket information, and token.



Additionally, conduition identified a function in the JavaScript source code on the TicketMaster website that generates barcode data.



SafeTix barcodes encode UTF-8 text and contain 48 bytes of Base64 encoded data, two 6-digit numbers, and a UNIX timestamp. The barcode is updated every 15 seconds, but the Base64 data does not change, only the 6-digit numbers and the timestamp.

Conduition speculated that the two six-digit numbers were a Time-based One-Time Password (TOTP) generated from a shared secret and a timestamp, and that the Base64 data was a random ' Bearer token ' used to identify the ticket holder and the ticket.

According to Conduition, the ticket metadata is first searched for using the Bearer token, and then the TOTP is verified with two secret keys stored in the database, 'eventKey' and 'customerKey'. Conduition also believed that the TOTP was generated every 15 seconds using the industry standard SHA-1 .

To verify these speculations, conduition used oathtool to generate a TOTP from the extracted shared secret and timestamp, and confirmed that it matched the actual barcode data. Furthermore, he found that the Base64 data changes every time the web app is refreshed, but does not change if the page is left open for a long time. On the other hand, the eventKey and customerKey do not change, and are presumably unique to the event and ticket holder, respectively. In other words, all that is needed is the Base64 data, the eventKey, and the customerKey to generate a valid barcode.

These analyses showed that the tokens could be extracted from the logs that TicketMaster's web app outputs to the browser console. In addition, although the documentation stated that the tokens should be updated 20 hours before the event starts, the expiration date of the generated tokens was unclear and uncertain.

Conduition strongly criticized TicketMaster for promoting SafeTix not to prevent fraud or resale, but to 'make it difficult to resell tickets outside TicketMaster and promote the use of its own high-margin resale marketplace' and 'to force users to install its own app and collect more user data.' In particular, he questioned the ethical responsibility of the developers for designing a system that excludes people who are technologically disadvantaged.

In addition, conduition has published the source code for 'TicketGimp', which renders barcodes compatible with TicketMaster's SafeTix, on GitHub.

GitHub - conduition/ticketgimp: Create TicketMaster-compatible rotating barcodes from encoded ticket secrets.
https://github.com/conduition/ticketgimp

◆ Forum is currently open
A forum related to this article has been set up on the official GIGAZINE Discord server . Anyone can post freely, so please feel free to comment! If you do not have a Discord account, please refer to the account creation procedure article to create an account!

• Discord | 'Have you ever had trouble with e-tickets?' | GIGAZINE
https://discord.com/channels/1037961069903216680/1260524742327275571

Related Posts:

in Mobile,   Software,   Web Service,   Web Application,   , Posted by log1i_yk