Hacking that Playstation competition…

***Update: I’ve published a follow post here in the aftermath ***

*** Update: Sony have made no attempt to plug the hole, the exploit worked flawlessly again this morning allowing me to scrape the secret URL 2 minutes before the clue was announced ***

***This blog post details a simple exploit that allows you to get hold of the secret form URL within seconds of the page going live. I’ve published this information because this competition has been a complete scandal with people cheating and sharing the links on forums and twitter. My goal is to force Sony to shut down this shambles and distribute the consoles in a fairer way. Of course, they might just plug the hole so don’t be surprised if this exploit stops working. This exploit was originally shared by myself here via Twitter***

Intro

If you’re a Playstation fanboy then you’ll be aware that Sony UK have been running a competition this week to let you “win” the chance to buy a shiny new 20th Anniversary Edition Playstation 4. Playstation UK have set up a site to celebrate the 20th Anniversary of the Playstation here: http://ps20.software.eu.playstation.com. The site contains an interactive montage of hundreds of classic characters from Playstation games. You can pan and zoom around and click on the characters to get info about them. So far so good. Now, the format of the competition is as follows:  Every day at a set time, Playstation UK tweet a clue about one of said characters. If you then refresh the site and click on the correct character you are presented with a link to a “secret” form on the Game UK website. You fill in the form as quick as you can and the first 100 lucky sods are then contacted directly by Game to arrange payment and delivery of their cherished goods.

This seems like a pretty fair system and a good way of allowing true die hard fans a real shot at getting their hands on these limited edition machines (as opposed to profiteering tossers who want to sell them on ebay). However, things quickly unravelled on Monday. Seemingly unaware of the impeding fan boy stampede, the website completely ground to a halt at 4pm as soon as the first clue was tweeted. Frantically hitting the F5 button for ten minutes to no avail, I quickly came to terms with the fact that I had no chance. Like most people, I was extremely frustrated that I could not take part in this competition. Eventually at about 4:30 I was able to get the site to load, click on the correct character and get to the Game website.

I took to Twitter to vent my frustration and noticed that the link to the form had been tweeted by people at about 2 minutes after the clue had been tweeted! How the hell had people managed to get through so quickly I thought?!

OPERATION REVERSE ENGINEER

Now I was truly pissed off. I’m a Software Engineer by trade so I decided that if people were going to ruin this competition and get an unfair advantage then I’m going to level the playing field and completely ruin it. This can be a lesson to Sony to make sure they run these competitions fairly in future. Here goes

Step 1 – Where is that link coming from?

When you click on the correct character, the site makes an ajax request to:

http://ps20.software.eu.playstation.com/redirect.php?sp=xxx

Where xxx is a code that changes with each day. Monday was SA, Tuesday was RJ, Wednesday was SBC (Update: Today was PBD)

This URL returns the location of the “secret” form – bingo

ps4url

When you play properly, the site then redirects you to this address.

Step 2 – Where is that code coming from?

If you pass anything other than the correct code to this URL you just get a 0 back. That daily code must be embedded in the HTML or javascript somewhere I thought. Indeed it was, 5 minutes of poking around and I found it in the actual HTML page:

codefound

Step 3 – Write a little console app

The final step was to write a little console app to hammer the site, extract the value of SP, hit the link URL then copy it to the clipboard. You can find it on GitHub here

The binary is available here if you don’t care for code (Windows only, sorry). Basically if you run this a few minutes before the clue is tweeted it will get the new link as soon as it is changed on the site and copy it to your clipboard.

consoledemo

Conclusion

This was a pretty feeble attempt by Sony UK to make a fair and secure competition. This hack took me about an hour to knock up. Now this is out in the open is Sony going to try a little harder? Why don’t you stop this farce of a competition and raffle the consoles off for free? Also, buy some more servers you fucking amateurs.

Advertisements

34 thoughts on “Hacking that Playstation competition…

  1. GET /redirect.php?sp=SBC HTTP/1.1
    Host: ps20.software.eu.playstation.com
    LOL! – Now why didn’t I just fire up Burp and think of this! … Amazing work!

    Like

      • I agree with you, I blame Sony for not making this more secure. You applaud this guy for proving his point, but at the same time I resent him for throwing this out in the open. My chances of getting a console are much smaller than I thought. And by the way if I get one I intend to keep it! Good luck gentleman!

        Like

  2. Don’t think Sony/GAME will be reworking how their site functions before 8am tomorrow. Looks like the floodgates have opened now this information/tool is out there.

    Like

  3. Nice work.
    I’d assumed they were doing something like this but for some reason Chrome’s Dev Tools were not showing me the AJAX requests – only the Google Analytics stuff. Luckily I nailed one of the first 100 on Monday – there was an error in the final URL which I’m sure threw a lot of people off, which just required a ‘.’ to be changed to a ‘/’.

    Like

  4. If this works and I get an entry in quick-smart, you sir will be my new hero! lol

    Did the comp legitimately yesterday, got into the site, got the tweet, found the right character, clicked on the link, but the page that opened came up with “No File Found”….then I find that another link was put up minutes later!
    Dunno what PS / Game were thinking by their attempted misdirection, but the whole thing is a complete shambles.
    They should have just punted the whole lot online, first come first served, instead of this joke of a “competition”!

    Liked by 1 person

  5. i ran this, but it doesn’t appear to work properly for me

    it seems too run fine, but doesn’t find the url or copy it too clipboard.
    i just get
    exception world
    value cannot be null
    parameter name: text

    any ideas anybody

    Like

  6. I wrote a similar script (rev. 3 is most useful) the morning before this blog post. I had become frustrated with being unable to get to Sony’s site the previous 2 days due to oversights by the developers/sys-admins; telling people to refresh a page at the same time which hosts 290 non-cdn hosted images with no Cache-Control or Expiry headers is a great way to DoS your own site. Sony could have used websockets (or at least long-polling) and push the updated config variable (window.config.sp) to users after the tweets were published to minimize their server load. However, maybe that’s having too high expectations when the website has it’s config files deployed to a publicly accessible url with php display_errors set to true, meh..

    Like

    • At what point did you submit your form bearing in mind it went live 2 mins before. Also you sure your still in as game posted any entries received before tweeted clue are disregarded

      Like

  7. Hi
    What would have been a better way to do it? Could Sony have done a way to do this without having to refresh the page? Just interested from a technical point of view.

    Like

  8. hello everyone, what i am about to say will seem strange to everyone but i am thinking people have bought and entered the competition and have already received their console and posted on eBay for stupid money however I work for game and the console are still all stored in the company… so what i am thinking all the uk ebay seller are all scam as I been contacting them asking if they have bought the PS4 LE in Uk and they have said yes we did from game.co.uk HOW??

    people be careful…..

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s