So what did Sony do about it?

This is a follow up post to my original story here.

So what did Sony do about it?

Not a lot. Just enough to stop the scripts.

The page now loads a new main js file at http://ps20.software.eu.playstation.com/index.dart.js?v=2

But the original remained live to throw people off the scent.

The original URL source was kept active and the data inside the HTML file remained.

The original URL source was also tweaked to respond to any code. Presumably this was to trick people into thinking they still had a working exploit.

The only way to get it to return the real url was to change the query string parameter name from “sp” to “k” and add the correct Referer header:

Referer http://ps20.software.eu.playstation.com/

What about people sharing links?

The game website doesn’t appear to submit anything differently whether you arrive legitimately via  http://ps20.software.eu.playstation.com/ or directly.

So basically, people who used the link without participating properly will probably still be counted.

I may have missed something here so perhaps Sony or Game can reassure us that they have actually added something to prevent these entries? I’m not holding my breath for any kind of official acknowledgement or an explanation however…

Advertisements

Hacking that Playstation competition…

***Update: I’ve published a follow post here in the aftermath ***

*** Update: Sony have made no attempt to plug the hole, the exploit worked flawlessly again this morning allowing me to scrape the secret URL 2 minutes before the clue was announced ***

***This blog post details a simple exploit that allows you to get hold of the secret form URL within seconds of the page going live. I’ve published this information because this competition has been a complete scandal with people cheating and sharing the links on forums and twitter. My goal is to force Sony to shut down this shambles and distribute the consoles in a fairer way. Of course, they might just plug the hole so don’t be surprised if this exploit stops working. This exploit was originally shared by myself here via Twitter***

Intro

If you’re a Playstation fanboy then you’ll be aware that Sony UK have been running a competition this week to let you “win” the chance to buy a shiny new 20th Anniversary Edition Playstation 4. Playstation UK have set up a site to celebrate the 20th Anniversary of the Playstation here: http://ps20.software.eu.playstation.com. The site contains an interactive montage of hundreds of classic characters from Playstation games. You can pan and zoom around and click on the characters to get info about them. So far so good. Now, the format of the competition is as follows:  Every day at a set time, Playstation UK tweet a clue about one of said characters. If you then refresh the site and click on the correct character you are presented with a link to a “secret” form on the Game UK website. You fill in the form as quick as you can and the first 100 lucky sods are then contacted directly by Game to arrange payment and delivery of their cherished goods.

This seems like a pretty fair system and a good way of allowing true die hard fans a real shot at getting their hands on these limited edition machines (as opposed to profiteering tossers who want to sell them on ebay). However, things quickly unravelled on Monday. Seemingly unaware of the impeding fan boy stampede, the website completely ground to a halt at 4pm as soon as the first clue was tweeted. Frantically hitting the F5 button for ten minutes to no avail, I quickly came to terms with the fact that I had no chance. Like most people, I was extremely frustrated that I could not take part in this competition. Eventually at about 4:30 I was able to get the site to load, click on the correct character and get to the Game website.

I took to Twitter to vent my frustration and noticed that the link to the form had been tweeted by people at about 2 minutes after the clue had been tweeted! How the hell had people managed to get through so quickly I thought?!

OPERATION REVERSE ENGINEER

Now I was truly pissed off. I’m a Software Engineer by trade so I decided that if people were going to ruin this competition and get an unfair advantage then I’m going to level the playing field and completely ruin it. This can be a lesson to Sony to make sure they run these competitions fairly in future. Here goes

Step 1 – Where is that link coming from?

When you click on the correct character, the site makes an ajax request to:

http://ps20.software.eu.playstation.com/redirect.php?sp=xxx

Where xxx is a code that changes with each day. Monday was SA, Tuesday was RJ, Wednesday was SBC (Update: Today was PBD)

This URL returns the location of the “secret” form – bingo

ps4url

When you play properly, the site then redirects you to this address.

Step 2 – Where is that code coming from?

If you pass anything other than the correct code to this URL you just get a 0 back. That daily code must be embedded in the HTML or javascript somewhere I thought. Indeed it was, 5 minutes of poking around and I found it in the actual HTML page:

codefound

Step 3 – Write a little console app

The final step was to write a little console app to hammer the site, extract the value of SP, hit the link URL then copy it to the clipboard. You can find it on GitHub here

The binary is available here if you don’t care for code (Windows only, sorry). Basically if you run this a few minutes before the clue is tweeted it will get the new link as soon as it is changed on the site and copy it to your clipboard.

consoledemo

Conclusion

This was a pretty feeble attempt by Sony UK to make a fair and secure competition. This hack took me about an hour to knock up. Now this is out in the open is Sony going to try a little harder? Why don’t you stop this farce of a competition and raffle the consoles off for free? Also, buy some more servers you fucking amateurs.