Cola competition hacked

[William Knowles <wk () c4i org>]

http://www.theage.com.au/news/national/2001/06/18/FFX85SO43OC.html

By BARRY PARK 
Fairfax IT
Monday 18 June 2001

Hacker group 2600 Australia today warned soft drink maker CocaCola
Amatil to increase the security of online competitions after today
publishing part of the process it says the company uses to verify
competition entries.

The group said it believed the Coke Music Auction was being "scammed"
by people who knew the full algorithm used to verify codes printed on
the side of Coke bottles.

The codes are used to claim credits to bid on prizes at the Coke Music
Auction website run in conjunction with portal Yahoo. Credits per
bottle range from 100 for a 390mL bottle to 300 for a 2L bottle.

Top bidding on the Coke Music Auction website earlier today was for a
LG television package, with a bid of 462,050 credits the equivalent of
more than 1500 twolitre Coke bottles.

2600 Australia member "Poppy", who discovered the flaw, said the proof
of concept used to reveal part of the algorithm used to verify the
codes had taken "two to three" hours to circumvent late last month.

He said about 100 sample codes were gathered from bottles in a
recycling bin at a fast food restaurant.

The full algorithm could be worked out by anyone who had access to a
larger number of bottles by substituting the letters in a valid code
with its equivalent character, he said.

If a substituted code was valid or had not been claimed before, the
credits would be assigned to the registered user.

Poppy said the Coke Music Auction website would lock a user out of the
site for 25 hours if a registered user keyed in 15 invalid codes.

He said he had "spoken to a few people who are doing it".

The back end security of the online competition attracted his
attention after he saw a large number of credits bid on items up for
auction shortly after the competition started, he said.

"CocaCola surely know by now that there is something seriously wrong
with this competition," the posting on the 2600 Australia website
says.

Poppy said ideally he would like to see CocaCola Amatil re-run the
competition, although he said that in reality all he could expect from
the company was an apology to legitimate customers who missed out on
prizes.

CocaCola Amatil has been contacted for comment.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*


ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.