Web flaw yields free MacWorld VIP pass
LATEST NEWS
- Video will drive UFB uptake, but NZ lacks content choices: ComCom || 1
- TelstraClear's half-year revenue drops by 4 percent, but telco posts $1m profit
- Peter Finch leaves CIO post at Gen-i || 1
- 2degrees announces 875,656 customers
- NZ Fauna app fills 'crazy' lack of animal info || 4
- Megaupload interest a mixed blessing for Pirate Party || 2
SUBSCRIBE
Computerworld is New Zealand's only specialised information systems fortnightly. Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
SIGN UP
A security researcher has found a way to get a free "Platinum" pass to MacWorld by hacking the conference website
By Robert McMillan | San Francisco | Thursday, 17 January, 2008
For the second year running, security researcher Kurt Grutzmacher has found a way to get a free "Platinum" pass to the MacWorld Conference & Expo, being held in San Francisco this week.
Thanks to a design flaw in the conference's website, he was able to figure out the special promotional code and award himself a 100% discount when purchasing the show's most expensive pass.
The problem was that the site was downloading an encrypted version of the promotional codes to the browser so that it could check for discounts before passing data to MacWorld's web server. Site developers may have done this to reduce the time it takes to process conference applications, but in doing so they introduced a serious security vulnerability, Grutzmacher said.
Although the promotional codes were encrypted, Grutzmacher used a password-cracking tool called John the Ripper to break the encryption and see the discount codes. "I was very surprised it worked," he said in an email interview.
That's because it was the same technique that yielded a Platinum pass for the 2007 show. At that time, the show's promoter, IDG World Expo, "removed all the codes, fixed the site, and said thanks," Grutzmacher said in a Monday blog posting showing how he cracked the site. "I gave them a few tips (don't trust user input, don't give your secret codes to everyone, encryption is not one-way, etc). Did they listen? Nope."
Grutzmacher ran his test in the weeks prior to the show, and the code he obtained stopped working on Jan. 7, he said.
Show representatives were not immediately available to comment.
The security penetration tester went down to San Francisco's Moscone Center on Monday to print up his pass, just to see if his trick worked, but he didn't actually use it to visit the show. "That would be very unethical," he said.
Had he made use of the US$1,895 pass, however, Grutzmacher could have had a free lunch, access to sessions at the conference, entry into the MacWorld party and priority access to Steve Jobs' keynote on Tuesday.
"Justin," a commentator on Grutzmacher's blog, said he reported a similar bug to IDG in 2003.
Grutzmacher said that this is probably not the last we'll hear of this problem. "I suspect we'll see this again in 2009," he said.
The MacWorld Conference & Expo is run by IDG Wold Expo, an IDG News Service affiliate.
MOST POPULAR
Social Media @Computerworld NZ
Computerworld NZ has now reached LinkedIn! Join to expand your networks and meet others interested in information systems.
