
EA “Gives Away” 1000s Of Free Games Due To No Server-Side Validation - minimaxir
http://minimaxir.com/2012/10/client-side-validation-is-hard-mode/
======
dkokelley
Can this really be considered lost revenue? It's unlikely that all 1,000's of
the "free" games were going to be purchased at the current price. You run in
to the same questions with piracy. Were the pirates really going to pay if
they couldn't pirate?

The lost revenue should really only come from customers who would have paid
the asking price but managed to get an illegitimate deal, plus whatever
support and overhead costs can be applied to the game downloads.

~~~
ntkachov
Yes because some (most of the ones worth paying for) of the games require some
sort of server. So every new player in a game is not free for EA. Giving away
a game means they will lose money on this person if they play online.

~~~
timmclean
Although, that'd be an increase in expenses, not lost revenue...

~~~
jklp
If you're nitpicking, then I guess technically it's a loss on profit ...

~~~
trhtrsh
No, the point is that for these users, the vendor loses the $1 or whatever
worth of hosting costs, not the $50 or whatever retail price.

~~~
belorn
The costs are also very difficult to determine, where $1 sounds a bit high to
me. Lets try to do some random estimates for a random game: 30% of the users
wont touch the game whatsoever, and will just have it on their "list". Of the
buyers, 0.5% will require some sort of support effort in relation , where 65%
are handled by the auto-response and 30% by the first email by an employe.

Say a total of 5,000 downloads are from this "free" coupon for any specific
game title. Would $500 or $5000 sound closers to the actually hosting/support
cost that the publisher has.

------
dagrz
Is it me or does the author of this article, and the abusers of the exploits
he writes about, land on the wrong side of both the law and common morality?

Surely EA being a "terrible company" has nothing to do with whether it is okay
to steal their products? Moreover, just because there was a coding
error/oversight, again doesn't mean it is okay to steal their products? If you
have a complaint about a company or discover an exploit, surely there are
other more ethical channels to pursue the matters?

For the record, I dislike some of EA's conduct as much as the next person.

~~~
dkokelley
Yes this rubs me the wrong way. I think it's analogous to a retail store (say,
an Apple store) leaving their front door unlocked overnight. It's possible to
go in and take merchandise. After all, it's not your fault they left their
front door open. You could even argue that Apple's business practices are
morally questionable, so they deserve to be taken advantage of . (I'm not
trying to make any statement about Apple. It's for the analogy.)

You could argue that the situation is different with virtual goods, since they
have an incredibly low marginal cost, but I think that the situations are
morally analogous. The games aren't supposed to be free.

~~~
glesica
Not really. It's more like Apple issuing you a coupon for a free iPod Nano,
but when you go to checkout with the iPod Nano and a Macbook in your cart, the
cashier tells you they're both free.

It may still be unethical, my point is just that there are shades of gray
here.

~~~
sespindola
Except that, in that case, Apple will loose a lot of money from the free
hardware. In this case, the only real loss for EA is the bandwidth. Since it
would be safe to asume that the downloaders wouldn't have bought a lot of
games at the current prices.

~~~
dkokelley
Sure, but I don't think that's relevant to the discussion. It's hard to
quantify, but there is some set of those downloaders who at some point in the
future would probably have bought one of the EA titles they received, so there
is some actual lost revenue. I suppose that's their lesson for pushing bad
code into production.

But it shouldn't matter. Real loss isn't necessary for it to be a unethical
(or worse, a crime).

~~~
milfot
Is it actually true that real loss isn't necessary to be unethical? You
couldn't possibly provide an example? I am having trouble imagining such a
situation.

(I would argue in terms of importance, ethics > crime)

~~~
stonemetal
_Is it actually true that real loss isn't necessary to be unethical?_

Plagiarize a paper in college, you have caused no real loss but still been
unethical. Say you knew the topic very well and could have done the work
yourself, you just plagiarized because you were lazy to get around the whole
you harmed yourself argument.

------
aero142
I don't know what this is going to cost EA, but this may end up being a good
thing. People hate Origin but more importantly, all their games are already on
Steam, so they just continue to buy from Valve. This might get a few people to
keep Origin installed on their computer and help the Origin network effect
out. Up until now, EAs only strategy has been to make their big name
franchises Origin exclusive. This will probably work better and may not end up
costing them much.

~~~
brainfed
They actually pulled most of their top titles off Steam when Origin launched.
Mass effect, Dragon Age etc. If you already own them on Steam then they remain
in your library but you can't buy them on there anymore.

~~~
bluedanieru
Dragon Age 1 and Mass Effect 1 & 2 are still available on Steam.
Interestingly, they pulled Crysis 2 then a few months later added Crysis 2
Maximum Edition.

For Dragon Age 2 and Mass Effect 3, I agree with their reasoning. Steam
doesn't allow in-app purchases that circumvent their distribution system, and
that's a load of crap.

~~~
sliverstorm
_Steam doesn't allow in-app purchases that circumvent their distribution
system, and that's a load of crap._

The idea there is probably something along the lines of preventing developers
from selling their game for $0.99 and "unlocking" it in-app for $59.00.

~~~
theevocater
steam isn't an open 'app store' though. It is entirely curated through valve.
Valve chooses the games to list and if they aren't happy, they will not ask
you to list with them. They could easily refuse to sell games if you did that.

------
minimaxir
(I apologize in advance for linking to my own blog, but I had not seen this
issue reported on any tech blog nor appeared in the "new" queue on HN, so I
wrote a quick post this morning on the issue, as it's technically
interesting.)

~~~
Negitivefrags
> The proper way to implement a promo code is logical: when the user attempts
> to apply a promo code, the server checks, has the user used this promo code
> before? by querying SELECT FROM transactions WHERE user_id = current_user
> AND promo_code = “OS3874XVC”. If the result set is empty, then the user
> hasn’t used the code, and everything’s good to go.

Be very careful here, it's not as simple as it looks. If you don't do the
correct locking it is very easy to have timing attacks which allow keys to be
used twice.

We learned this the hard way after posting a one use key for our game on
4chan. A thousand people rushed to try the key and around 100 people managed
to get in using it.

~~~
numair
... That's not a timing attack. A timing attack involves measuring the time
taken to return an invalid response to a password attempt and, given enough
tries, figure out the password based on this. It usually takes advantage of
the way that string-matching code is written in libraries. Preventing this is
not nearly as simple as you may think; for example, recent research shows that
over a long enough period of time and enough attempts, it is possible for an
attacker to factor network latency into their timing analysis.

What you're describing is not the result of an "attack," but rather the result
of code that wasn't designed to deal with database locking. You weren't
hacked, nobody attacked you; you just didn't design your system to deal with
tons of people trying to write/read the same thing at the same time. Again,
it's a tricky problem, so it's understandable (and a lot of people would
consider dealing with such issues to be "premature optimization").

I will also note that the OP needs to stick to his MySQL Cookbook rather than
commenting on coding practices for large-scale, heavy-usage web applications.
His code suggestion is terribly naive, arrogant, and embarrassing. Yes, EA
made a mistake; no, you have no clue what the hell you are talking about.

~~~
mherdeg
Yeah, time-of-check-to-time-of-use attacks are not usually described as
"timing attacks" but instead just called TOCTTOU. In this scenario you might
also say "exploiting a race condition".

------
SquareWheel
This article missed the earlier Reddit thread where a separate exploit was
discovered, that the coupon applied to every item in the basket. $20 off of
everything. Coupled with a coupon from a different forum you could add tens or
maybe hundreds of games to your account for free in one large bundle.

I'm really curious to see EA's response.

~~~
fwr
Do you have a link to the earlier reddit thread?

~~~
SquareWheel
I do.

<http://reddit.com/11ecl5/>

The link to the SlickDeals exclusive deals were removed as well for some
reason.

[http://store.origin.com/store/ea/en_US/DisplayCategoryProduc...](http://store.origin.com/store/ea/en_US/DisplayCategoryProductListPage/categoryID=60109000&childCategoryID=60109000&OfferID=29945460209?sourceid=Origin_AFF_LS715)

------
tantalor
IANAL, but it's possible that these users are now liable to pay for the extra
games. They knew that the code was only usable once, yet used it multiple
times. EA might ask for the games back or charge the users.

(I'm not taking EA's side, I'm just pointing out some possible consequences.)

~~~
rabidsnail
If they did try to charge for the games they would get enough chargebacks that
they would have a hard time processing credit card payments for a while. And
with chargeback penalties they might actually lose money.

The only sensible options are a) do nothing or b) revoke games purchased with
these codes. If I were them I would do nothing and treat it as an unplanned
pricing experiment. Since a lot of these games have an online component
(network effects!) the "giveaways" might increase real sales overall.

~~~
oakwhiz
I doubt there would be chargebacks since a valid credit card was not even
asked for during the process of entering the code.

~~~
rabidsnail
But presumably you have to have a credit card associated with your account,
right?

~~~
potatolicious
Even if that's the case, it would be unwise for EA to pursue this money. All
anyone would have to do is issue a chargeback - which by the way incurs
penalty fees for EA. More than that, it _costs_ $25 for EA to file a challenge
to a chargeback, making it completely not worthwhile.

Going after this money would be a PR disaster, a legal quagmire, financially
_negative_ in all likelihood, _and_ permanently damage their relationship with
their payment processors.

I would instead invest more money in hiring proper architects.

------
andypants
Your proposed solution is not that simple. You make it sound like EA simply
used the wrong query.

> One, if EA is technically incompetent enough to allow such a severe bug to
> exist, they won’t have the technical skills to discern who used the promo
> code more than once.

The bug was not that obvious, and doesn't necessarily imply lack of technical
skill. On the other hand, finding out who used a promo code more than once, as
long as these things have been logged, should be trivial for any admin.

~~~
ColMustard
That a promo code could be used more than once, or that you could use it in
ways it was never meant to? Of course the problem it's not simple, but anyone
who thinks it is shouldn't be working on these things. Either someone screwed
up building the system, or someone thought they could use it in ways it wasn't
intended and screwed up. Sure, the solution might not be as simple as a lack
of server-side validation, but either way, the solution is simple, the problem
isn't.

------
chris11
According to a community manager. EA is honoring all sales made with the
coupon. I was kind of expecting EA to ban some people or revoke access to some
games. But I guess they just ended the promotion early. Although EA does seem
to be getting some complaints from people who filled out the survey and didn't
get to use the coupon.

<http://forum.ea.com/eaforum/posts/list/60/9040620.page>

~~~
minimaxir
That appears to be the case. I've updated the post accordingly.

------
prezjordan
So because of DRM, they're fully capable of taking those games "back"
(removing them from accounts), right? I mean, if VALVe one day decided I no
longer can have TF2 they can simply strip it from account, is that how their
terms work?

~~~
skymt
Yes and yes. Valve has been known to remove games from Steam accounts in cases
of abuse, e.g. credit-card fraud or stolen license keys.

~~~
doesnt_know
I've never heard of Valve removing single games from an account before. It's
common knowledge though that if you ever do a charge back for a purchased game
they shut down your account and it becomes irrecoverable.

It's a blanket policy and a reason why I never use Paypal for Steam, use a
real or "throw-away" credit card for Steam purchases. Alternatively, you could
not buy from Steam at all, I don't anymore but it's too late for me. I already
have over 200 games with them and worry about losing access to everything.

~~~
skymt
The only case I know for certain that Valve removed a single game from
accounts was the time a large number of Dirt 3 keys were leaked from a
graphics card promotion. A friend traded a game for one of the stolen keys,
not knowing about the leak. About a day later, the game disappeared from his
library with no fanfare. He didn't even get an email from Valve.

I've also heard that Valve will remove games that were acquired through the
trade system if the original buyer obtained them fraudulently.

------
tlrobinson
_"pretty embarrassing for an exploit that causes a significant amount of lost
revenue"_

I doubt much revenue was lost. How many of these people were going to buy the
game in the first place? None of them were hot new games, were they?

------
romaniv
I think this is the best possible example of why you should always develop
websites using progressive enhancement. First, write the app without using any
JavaScript. Test it. Make sure the core logic works as intended. Then add
JavaScript to make it faster, pretties, simpler to use. That will most likely
prevent fuckups such as this, and it will also result in better structured,
easier to reason about architecture.

------
atas
This is just another sample case demonstrating how otherwise intelligent and
competent people really need to be educated about web development security.

------
elliottcarlson
"One, if EA is technically incompetent enough to allow such a severe bug to
exist, they won’t have the technical skills to discern who used the promo code
more than once."

Not necessarily true - we don't have insight in to how their system is setup;
and while it may not be tracking redemption of the codes on that level, it
could also be attached to any transactional data that they have in place (for
reporting purposes etc).

~~~
TwoBit
Also, it's likely the person(s) who set up that promo had little to do with
the people who maintain Origin. And may not even be related to those who
maintain the server.

------
cyber
Ironically, EA will probably try to claim the "success" of the promo by using
numbers for all the games claimed as if they were all discrete individuals.

While at the same time trying to claw back the licenses.

------
xedarius
I'd say it worked out pretty well, I'd never heard of EA's Origin service
before this article.

------
ricksta
I'm not sure if op's solution is optimal. But why not use unique promo code?

~~~
dfox
Unique promo codes have to be generated somehow. Integrating that generation
into probably outsourced survey mechanism is likely not exactly trivial and
may (if not done right) open ways for anyone to generate any amount of promo
codes they want.

This is one kind of problems you get when you start separating different
functionality into separate applications that don't known about other parts.

------
ragsagar
i can't believe that they don't know what is server side validation.

------
Evbn
Please change your CSS so it doesn't force Android to show a microscopic font
with long lines and disabled zoom/ reflowing.

~~~
minimaxir
The CSS is based off of Bootstrap, so everything should be showing correctly
on mobile and tablets (I don't have an Android device myself so I can't verify
that particular use case). I'll look into it; in the meantime, I enabled zoom
for mobile devices.

~~~
CamperBob2
_in the meantime, I enabled zoom for mobile devices._

Whoever turned it off in the first place was a bad person, and should feel bad
for doing so.

~~~
minimaxir
Having zoom enabled and changing device rotation can cause formatting issues
on some devices. The mobile (smartphone) websites of TechCrunch, Yahoo, Cnet,
Mashable, etc. all disable mobile zoom.

Tablets appear to be a different story though, and zoom might need to be
enabled there.

~~~
quotemstr
> Having zoom enabled and changing device rotation can cause formatting issues
> on some devices.

Then fix your goddamn site instead of gimping the user's web browser.

