![ticketmaster-safetix-reverse-engineered-[hackaday]](https://i0.wp.com/upmytech.com/wp-content/uploads/2024/07/194517-ticketmaster-safetix-reverse-engineered-hackaday.jpg?resize=800%2C445&ssl=1)
Ticketmaster SafeTix Reverse-Engineered [Hackaday]
Ticketmaster is having a rough time lately. Recently, a hacker named [Conduition] managed to reverse-engineer their new “safe” electronic ticket system. Of course, they also had the recent breach where more than half a billion accounts had personal and financial data leaked without any indication of whether or not the data was fully encrypted. But we’re going to focus on the former, as it’s more technically interesting.
Ticketmaster’s stated goals for the new SafeTix system — which requires the use of a smartphone app — was to reduce fraud and ticket scalping. Essentially, you purchase a ticket using their app, and some data is downloaded to your phone which generates a rotating barcode every 15 seconds. When [Conduition] arrived at the venue, cell and WiFi service was totally swamped by everyone trying to load their barcode tickets. After many worried minutes (and presumably a few choice words) [Conduition] managed to get a cell signal long enough to update the barcode, and was able to enter, albeit with a large contingent of similarly annoyed fans trying to enter with their legally purchased tickets.
The real kicker here is that since the barcode rotates every 15 seconds, printing it out simply isn’t an option. This alienates anyone who doesn’t have a smartphone, which includes individuals who may not be able to physically operate one. So the problem isn’t simply that users were being forced to install yet another application on their device, but that the system reduces accessibility to entertainment. [Conduition] was dismayed and frustrated with this, and so the reverse-engineering effort began.
Decoding the barcode was actually quite simple. It is a standard PDF417 barcode, which contains a long Base64 string, two six-digit numbers, and a Unix timestamp all concatenated together with colons. The only parts of the string that seemed to change over time were the two six-digit numbers. Hmm, can we think of a common technology which generates six-digit numbers that update seemingly randomly on a fixed cycle? Of course — it’s just a Time-based one-time password (TOTP), the technology behind 2FA authenticator apps!
So where were the secret keys coming from? TOTP only requires two things: a static secret string, and the current time. [Conduition] checked the communication with the Ticketmaster servers and found a particularly interesting request that returned JSON-formatted data, inside which were of course the two secret keys. One seems to be unique per customer, and the other per ticket.
The Ticketmaster API documentation only briefly mentions this feature, but they do state that customers must refresh their ticket barcodes within 20 hours before an event starts. These two pieces of information were enough to allow [Conduition] to whip up a simple app that accepts the secret keys and the ticket ID and pops out the rotating barcodes. This would allow you to sell your tickets in the 20 hours prior to an event, or even just give them away to friends without having to give their personal data to Ticketmaster and allow you to take back control of your tickets.
Thanks to [Chrischi] for the tip!