Macworld crack offers VIP passes, hacker says

Security weakness in conference Web site apparently let enterprising hackers get free platinum passes to the event, a $1,695 value.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
Alongside the VIPs and people who paid top dollar, a hacker claims he also got priority access to Steve Jobs' speech at the Macworld Conference and Expo this week.

A security weakness in the event's Web site allowed enterprising hackers to get free "platinum passes" to the event, a $1,695 value, a security professional claims. These passes--the most expensive sold for Macworld--included much-coveted priority seating for the Jobs keynote address on Tuesday. In that packed speech, Jobs unveiled Apple's new iPhone.

The hack was possible because special discount codes were available on the Macworld site without proper security, Kurt Grutzmacher, a Berkeley, Calif.-based security professional, wrote on his blog late Thursday. It was relatively easy to uncover the code that would make a platinum pass free, he wrote.

Grutzmacher picked up his free "Platinum Pass" on Monday and reported the issue to IDG on Tuesday, he wrote. IDG World Expo runs Macworld, which closes Friday.

"They'd spent most of the day looking back over their logs and found that others also had found this vulnerability and used it but I was the only one to report it," Grutzmacher wrote.

Macworld organizer IDG World Expo won't confirm or deny that the hack happened. Spokeswoman Charlotte McCormack on Friday said the company simply had "no comment." A representative for Registration Control Systems, the company that handled registrations for the event, referred all questions to IDG.

The claimed Macworld hack is an excellent example of security issues with Web 2.0 applications, Billy Hoffman, a researcher at Web security specialist SPI Dynamics, said in an e-mail interview Friday.

IDG tried to make their Web site more responsive by doing some of their validation on the PC of the user registering for the event, Hoffman said. They did this by pushing some JavaScript code to the browser. By doing that they leaked how the priority code is verified and used by the Web site, he said.

"I visited the IDG registration page today (Friday), and the priority codes are still in the JavaScript, available for anyone to steal," he said. "By trying to enrich the user's experience, the programmers exposed all of their discount offers in JavaScript, allowing an attacker to discovery them and perform fraud for thousands of dollars."

What Grutzmacher did isn't something that any layperson could do. When registering for the event, he discovered that the Macworld online registration page actually contained a list of possible discount codes, called "Priority Codes," he wrote.

This list was not in plain text, though. It was encrypted and showed a number of MD5 hashes, Grutzmacher wrote. The protection was easy to crack, however, because the Web site gave several key pieces of information that enabled a crack. In less than 10 seconds, he had the code that gave him a free platinum pass, he wrote.

"Ultimately, you don't want to give the client everything they need to gain access to something they shouldn't. Validate on the server rather than the client and keep the keys secret," Grutzmacher wrote. "Of course, you also shouldn't use a very easy key that will provide discounted access."