
LivingSocial Hacked - dknecht
http://www.deepgreencrystals.com/archives/2011/01/living-social-h.html
======
ghshephard
Fact checking is important:

Tippr.com Guy:

    
    
       "If Amazon knew there was a way to buy say 100 vouchers and receive $2000 of 
       Amazon merchandise for $1000, they would probably blow a gasket. 
       Jeff you better sit down. "
    

livingsocial disclaimer: (I bought one - apparently I could have bought more.
:-)

    
    
       "* Amazon is not a sponsor of this promotion."
    

This is a customer acquisition/affiliate/advertising play on living's social's
part. Plus, they'll probably make some money on breakage [1] which is a
component of all these coupon vendors. Certainly got my attention.

With regards to the exploit - I don't really get it - you don't get the Gift
Certificate right away - I still haven't received mine, though I did get an
email:

    
    
       "Thanks for getting in on this sweet deal from LivingSocial:
    
       $20 Amazon Gift Card*
    
       We'll send you an email tomorrow letting you know how you can get 
       your Amazon Gift Card* code"
    

Doesn't this give LivingSocial the opportunity to validate whether I'm
receiving more than one coupon at a time? If all the deals go through this
server side validation, does it really matter if the someone tries to play
games on the client side and put in 999 coupons (and, supposedly, pays for
them) - I'm presuming LivingSocial reserves the right to change that number
back to "1" (and probably take their time returning your money)

[1] <http://en.wikipedia.org/wiki/Breakage>

~~~
ck2
1\. Amazon is the top, major investor in LivingSocial ($175 Million)

2\. LivingSocial has already said they are only allowing one GC purchase per
credit card (so when they tabulate tomorrow, all this hackery will fail)

3\. They are being issued as Amazon vouchers, not really GC, which allows only
one voucher per Amazon account. If someone managed to get 100, they would need
100 Amazon accounts.

~~~
fookyong
3\. higher numbers sold look better for WOM marketing purposes, even if many
of them are culled during the tabulation after the sale ends.

My guess is, LivingSocial know _exactly_ what they are doing.

------
liuhenry
According to Business Insider, LivingSocial's CEO's has said this is not a
problem: [http://www.businessinsider.com/livingsocial-server-
flaw-2011...](http://www.businessinsider.com/livingsocial-server-flaw-2011-1)

"Tim O'Shaughnessy: Just saw your post come through based on Martin Tobias'
post and he is off on a several things, but in short, there is no widescale
problem of users purchasing more than 1 gift card voucher.

Here are some specifics: First, when a user first hits "buy", we do a pre-
authorization of their card but hold off on settlement until later in the day
after the deal is closed. We generally do this for a variety of reasons, but a
primary reason is that if a user happens to earn that day's deal for free
through our Me + 3 program, we don't want to have to charge their card back.
Instead we wait to see who has earned a free deal and then process the cards.

A by-product of doing the pre-auth first and the settlement later, is that we
can do server side validation (i.e. check for gamers) anytime through the day
until the settlement occurs and we've reconciled the transaction. What does
this mean? It means that today people who think they've "found a loophole"
just haven't been told by us yet that they're violating the one purchase per
person rule. We intentionally had that happen today because we expected people
to game the system and didn't want to get into a game of cat and mouse all
day. That 50-75% of the purchases were gamed is laughable.

The "code hack" Martin refers to changes things on the client side, but not
our server side. Optically it will look like someone has changed their
purchase number, but we have the number already locked on the server side."

~~~
hdctambien
That fact that they fixed the problem seems to be counter to the CEO's
statement that it wasn't actually a problem.

They clearly weren't validating all of the form inputs on the server side.
Hopefully this was a learning experience for the engineering team.

~~~
alanfalcon
You have a 24 hour window for a deal like this and you know it costs you $10
for everyone who games the system. So you let the hackers think they've won
then after the 24 hours is up, reveal that they've lost. Instead of finding
creative and more difficult ways to game the system, the hackers wasted their
24 hours partying and getting drunk and so LivingSocial wins.

Probably not exactly how it went down, but it's a good story.

------
prpon
Honest question to fellow hackers and entrepreneurs: Do we have to take every
opportunity to put down your competition? Are there not enough venues to
market yourself?

Wouldn't a simple post like this be enough? _LivingSocial does not guarantee
that you get what you ordered like Tippr does_.

------
desigooner
I'd hardly call it "hacked". The post is oddly smug to claim that LivingSocial
got gamed easily and their "design" is flawed and that their own solution is
better.

Meh. I'll pass. Such a blog post about a competitor isn't the best way to brag
about your own product.

------
ck2
LivingSocial has already said that they are only going to allow one GC
purchase per credit card number.

So multiple purchases under one account, or multiple accounts are going to
fail when they tabulate tomorrow.

Also, they are being issued as Amazon vouchers, not really GC, which allows
only one voucher per Amazon account. If someone managed to get 100, they would
need 100 Amazon accounts.

------
sandeepshetty
I know the post is by a competitor, but wouldn't telling Living Social about
it first and giving them time to fix it before blogging be the "right thing"
to do?

------
maguay
This really spooked me at first ... Just by reading the title, my first
thought was that their servers got hacked maliciously and my financial data I
just added today was compromised. I'm glad to see it was something more
innocent :)

Talk about bad PR ... that'd be the worst they could get, if they got hacked
on the day they're likely seeing their most signups ever!

------
chanri
Don't get too excited.

LivingSocial disabled this already (the trick doesn't work any more), and all
people who tried this trick earlier today will simply get an email tomorrow
saying that they are not eligible because they ordered more than 1 gift
certificate.

There's simply too much money at stake for LivingSocial not to make sure that
people only get 1 gift certificate each.

------
dotBen
LivingSocial don't process the credit cards until after the deal is closed.

It wouldn't take 10 minutes to have an engineer interrogate the database to
raise any orders that have a quantity greater than 1 and/or a total amount
more than $10.

To claim that LivingSocial has been "hacked" is sensationalism. While I think
it was a low blow, I can understand why a non-technical CEO would try this
stunt but I'd have expected more sense from a technical person who should know
how easy it would be to see this happening on LivingSocial's back end.

------
trotsky
Doesn't appear to work now at least. Submitting any positive number as the
value for purchase_order_quantity still results in the website reporting that
I'll be charged for one.

------
barryaustin
LivingSocial didn't skip server-side validation - they delayed it. Now they
can identify cheaters who were suckered by false reports of a loophole.
Doesn't look so dumb to me.

------
nopal
I think this brings up an interesting point of discussion: what should sites
do now and what should they do later?

In this case, a quick server-side check that did the same thing as a client-
side validation seems like a no brainier, but what about bigger, more complex
actions?

What kinds of actions are you guys deferring while actually telling the
customer something else (and notifying them later if something ultimately
fails)?

------
forkrulassail
Well, the final server side purchase shows the 1 card, $10 amount, so a fair
amount of server side validation is being done.

~~~
dknecht
They fixed it a few hours ago. My account is still showing I purchased a 100.

------
WillyF
If you really wanted to get multiple deals, wouldn't it make more sense to
just make another LivingSocial account with a different e-mail address?

That way if/when they invalidate all of the orders from people who ordered
more than 1, you won't miss out on the deal.

~~~
radicaldreamer
They'll probably check billing methods as well, so you'd have to generate a
lot of extra credit cards accounts. And they could ensure that the #'s for
these can only be used once by one amazon account or shipping address.

~~~
WillyF
Yeah, I wouldn't be surprised if Amazon restricts your account to one of these
gift certificates somehow. The deal description said "no gifting allowed."

Still, a separate e-mail address, credit card, and Amazon account would be an
almost surefire way to get a multiple deals. But anything past 2 or 3 would
get to the point of just wasting your time.

------
jdp23
The article says did they client-side validation to ensure that a customer
could only get one of a special offer. Sheesh. Security 101.

~~~
jdp23
If anybody's still reading, I'm curious why this got voted down. I thought I
was adding value by pointing out the specific vulnerability, and that it was a
basic security flaw. Was it too sarcastic?

