"If Amazon knew there was a way to buy say 100 vouchers and receive $2000 of
Amazon merchandise for $1000, they would probably blow a gasket.
Jeff you better sit down. "
"* Amazon is not a sponsor of this promotion."
With regards to the exploit - I don't really get it - you don't get the Gift Certificate right away - I still haven't received mine, though I did get an email:
"Thanks for getting in on this sweet deal from LivingSocial:
$20 Amazon Gift Card*
We'll send you an email tomorrow letting you know how you can get
your Amazon Gift Card* code"
2. LivingSocial has already said they are only allowing one GC purchase per credit card (so when they tabulate tomorrow, all this hackery will fail)
3. They are being issued as Amazon vouchers, not really GC, which allows only one voucher per Amazon account. If someone managed to get 100, they would need 100 Amazon accounts.
My guess is, LivingSocial know exactly what they are doing.
Nonetheless, not having server-side validation built-in indicates pretty bad practice. For one, it causes them a lot of grief and work reversing all the transactions. But further, it indicates that they probably have gaping security flaws laying around waiting to be exploited.
"Tim O'Shaughnessy: Just saw your post come through based on Martin Tobias' post and he is off on a several things, but in short, there is no widescale problem of users purchasing more than 1 gift card voucher.
Here are some specifics:
First, when a user first hits "buy", we do a pre-authorization of their card but hold off on settlement until later in the day after the deal is closed. We generally do this for a variety of reasons, but a primary reason is that if a user happens to earn that day's deal for free through our Me + 3 program, we don't want to have to charge their card back. Instead we wait to see who has earned a free deal and then process the cards.
A by-product of doing the pre-auth first and the settlement later, is that we can do server side validation (i.e. check for gamers) anytime through the day until the settlement occurs and we've reconciled the transaction. What does this mean? It means that today people who think they've "found a loophole" just haven't been told by us yet that they're violating the one purchase per person rule. We intentionally had that happen today because we expected people to game the system and didn't want to get into a game of cat and mouse all day. That 50-75% of the purchases were gamed is laughable.
The "code hack" Martin refers to changes things on the client side, but not our server side. Optically it will look like someone has changed their purchase number, but we have the number already locked on the server side."
They clearly weren't validating all of the form inputs on the server side. Hopefully this was a learning experience for the engineering team.
Probably not exactly how it went down, but it's a good story.
Wouldn't a simple post like this be enough?
LivingSocial does not guarantee that you get what you ordered like Tippr does.
Meh. I'll pass. Such a blog post about a competitor isn't the best way to brag about your own product.
So multiple purchases under one account, or multiple accounts are going to fail when they tabulate tomorrow.
Also, they are being issued as Amazon vouchers, not really GC, which allows only one voucher per Amazon account. If someone managed to get 100, they would need 100 Amazon accounts.
Talk about bad PR ... that'd be the worst they could get, if they got hacked on the day they're likely seeing their most signups ever!
LivingSocial disabled this already (the trick doesn't work any more), and all people who tried this trick earlier today will simply get an email tomorrow saying that they are not eligible because they ordered more than 1 gift certificate.
There's simply too much money at stake for LivingSocial not to make sure that people only get 1 gift certificate each.
It wouldn't take 10 minutes to have an engineer interrogate the database to raise any orders that have a quantity greater than 1 and/or a total amount more than $10.
To claim that LivingSocial has been "hacked" is sensationalism. While I think it was a low blow, I can understand why a non-technical CEO would try this stunt but I'd have expected more sense from a technical person who should know how easy it would be to see this happening on LivingSocial's back end.
In this case, a quick server-side check that did the same thing as a client-side validation seems like a no brainier, but what about bigger, more complex actions?
What kinds of actions are you guys deferring while actually telling the customer something else (and notifying them later if something ultimately fails)?
That way if/when they invalidate all of the orders from people who ordered more than 1, you won't miss out on the deal.
Still, a separate e-mail address, credit card, and Amazon account would be an almost surefire way to get a multiple deals. But anything past 2 or 3 would get to the point of just wasting your time.
My main reaction to this story is that, after months of getting crappy offers from LivingSocial and cancelling my subscription to them, they finally offer something good.