In today’s episode of the insecure internet I present you the company Ticketscript. This event ticketing company provides tools and features to make selling tickets for events easier. According to their website:
“[..] Ticket buyers are your biggest asset. Why share your customers with anyone else? Stop sending your hard earned traffic to third party ticket selling websites and agents. [..] The secret to event success? Own your data 100%. [..]”
Well, it appears that their data got owned!
Let me tell you a story.
I came in contact with the crew of Dutch television show Opgelicht?! from AVROTROS and they wanted to make a special item about cyber-crime and data breaches. They asked me if I had found a critical vulnerability in a Dutch company recently what wasn’t been reported yet. I stumble across these every week during my professional engagements, but all of them fall under non-disclosure agreements. I told them I could easy find a new one for them. They said that if that was true, that would be a good news story to tell to inform and create awareness among their viewers about the dangers of the internet.
So for the greater good and under journalistic cover from AVROTROS, I started googling for administrator login screens of Dutch companies. When I had found one, I would try out to see if it had set the default administrator password ‘admin’. I didn’t had to search long and only after a few login screens I tried the password out on, I hit jackpot:
Whoaah! I was now logged in!
For a few moments I was stumbled of what just happened, and when reality kicked back in, I realized I was now logged in as an administrator on some kind of system. I looked around and realized it was an administration system that manages the sales and validation of tickets and events of customers of a company called Ticketscript.
In order to estimate the impact of this vulnerability to see if it was news worthy, I clicked around the system to get a grasp of it’s function and the data it contained.
I clicked on the ‘maintain companies’ menu option and saw a list of usernames and (base64) encoded passwords:
Oh my! Showing (encoded) passwords in a webpage is never a good idea! An administrator should never see these.
Configuring new account passwords
I clicked on a random company and apparently I can configure a new password for the account:
Via the menu option ‘maintain users’ I can also set new passwords for other users in the system if I wanted:
This administrator account has some serious power! It seems I got full access to their ticketing system.
The system runs over an insecure (HTTP) connection:
This means that all customer details and passwords are sent in readable format over the internet and susceptible for (man-in-the-middle) hack attacks. Every decent website that handles large amounts of personal records has implemented secure (HTTPS) lines nowadays. Ticketscript didn’t think security was important, or lacks fundamental knowledge about it.
Just curious if I was right, I logged into LinkedIn and searched for all the Ticketscript employees. LinkedIn found 122 employees:
I’ve read all the 122 function titles and non of them have something to do with security or privacy. I think they immediately need an IT security officer, security manager and a privacy officer in order to actively and adequately defend their systems against modern day threats on the internet.
System administrator didn’t care about security
Back to the ticket administration system. Curious what this system else had to offer, I clicked on the ‘settings’ menu option:
I now have the option to change my own account password. Apparently the system administrator I was logged in as, didn’t even bother to invest one minute of his time to configure a strong password to protect all the company customer data that he is trusted with.
Default passwords everywhere!
After getting to know the system better, I figured out that they give customers the initial password ‘scan’ and then completed it with their corresponding username. So username ‘Esther1320’ would get the default password ‘scanEsther1320’ and it seems that all five company usernames that I have logged in with to try it out, all still had the default password set.
This makes me wondering: are there any safe passwords set in this system?
Their desktop application
Apart from this administrator web interface, they also have a desktop application where customers can log into. I logged in with an account from a customer and saw that the account had access to quite a few events:
Access to 10,000+ tickets
When I counted the total amount of tickets for only the events shown on the screen, not mentioning all the other events when I would scroll down, I already counted 10,000+ tickets!
I selected an event and got access to personal details of attendees:
When I clicked on the ‘export’ menu option, I was served with a downloadable Excel file with all the personal details of the event attendees in it. In this case over 6,500 records:
The first name, last name, e-mail address and telephone number of attendees was easily exported from the system.
It takes around 8 to 16 hours to setup and execute such an attack for a skilled hacker. I would bet that you’ll get thousands of new bots in your botnet if you would do that. If you fill in your bank account number in the fake invoice, you might also get some money occasionally ;-)
The company behind this vulnerable system is Ticketscript:
“[..]Founded in 2006 we’re now Europe’s market leader in digital self-service ticketing with offices in Amsterdam, London, Berlin, Antwerp, and Barcelona with more than 100 employees.
It’s our mission to help event organisers get the most from their online ticketing and yes, you’ve guessed it, sell more tickets. Our services are used by over 125,000 events, selling over 20m tickets across Europe for festivals, exhibitions, air shows, fairs, sports events and more.
As a result we work with a wide range of renowned event organisers, both internationally and locally. These include Art of Dance (NL), Dutch Design Week (NL), Brighton Pride (UK), Tesco Wine Fair (UK), Waterstones (UK), Love Family Park (DE), Groezrock (BE) and Affordable Art Fair (INT). [..]
Impact of the breach
In above text it’s said that their clients sold over 20 million tickets. On their front page they say their clients sold over 25 million tickets. Are all those tickets managed via the ticket administration interface I had access to? I saw another login screen for a dashboard somewhere else.
With the administrator account I had access to, I could manage 1,100+ events, including those from the above mentioned Dutch Design Week and Tesco Wine Fair. If we take an average of 500 attendees and multiply that with 1,100, then we get 550,000. Let’s stay on the safe side and estimate that there are somewhere between 200,000 and 300,000 tickets managed in this system. That’s still quite a lot!
This data set would probably include the mobile phone numbers and e-mail addresses of famous DJs and VIPs. I could check that out, but then I had to download more data from the system and I don’t think that it would be an ethical thing to do. So far I only have shortly logged in under a few random accounts, clicked on a few screens and opened a few random events.
Free access to 1,100+ events!
I saw that I could register new tickets in the system for any given event or hijack existing tickets. This means that I and all my friends now had the ability to get free entry to 1,100+ events if I wanted to!
Of course I wasn’t going to do that. Instead I reported back to AVROTROS and the they disclosed the findings to Ticketscript. Ticketscript responded formally through their attorney:
AVROTROS has made us aware of a vulnerability in a platform of one of our suppliers. This vulnerability was an unsafe username/password combination. Immediately after this report, we have contacted our supplier and they fixed the vulnerability.
Further research has shown that the limited amount of data that was present on this platform was not compromised by any other person than the ethical hacker. The vulnerability was therefor not misused. Moreover, it involved only a limited number of non-sensitive data. Nevertheless, we regret the situation very much and appreciate it that AVROTROS has informed us about it so we could act adequately.
Good to hear they closed the hole!
Is it a data breach?
I made an effort to see and download as few personal records as possible during my research to estimate the impact of the vulnerability. The lawyer acknowledges this, and uses it to claim it’s therefor technically speaking not a data breach. Custom written summary of his reasoning:
“My client has proven by research that the ethical hacker has only accessed a limited amount of data. That data won’t be shared with others, and no other hacker has accessed the database. It’s technically speaking not a data breach and therefor it’s not mandatory to report this case to the Dutch authorities (Autoriteit Persoonsgegevens).”
That’s quite interesting reasoning and interpretation of the law!
This whole story was filmed and featured in episode three of Tv show Opgelicht?! Cybercrime, including an interview with me (it’s in Dutch):
Sites that link to this story