Your debugging code can be a security hole: Contest tickets


Last year, the Microsoft cafeterias ran a promotion which involved scratch-off tickets and prizes ranging from a free bagel to a new Zune to free airplane tickets. But it turns out that the people who ran the contest left some debugging code behind that became a security hole.

As people compared notes on what they did or didn't win, they noticed that the tickets all looked identical save for the scratch-off area (naturally) and some tiny numbers printed in the corner of the back of the card. After some study, it became clear that all the losing tickets had a code that ended in 01, all the tickets for a free bagel ended in 18, and so on. If you went to the contest rules and regulations Web site, you'd find the legally mandated odds of winning disclosure, and the table just so happened to have no prize as the first item in the table and free bagel as the eighteenth. Further comparisons with other winning tickets confirmed that you could tell ahead of time what prize you were going to win by just looking at the last two digits of the number printed on the back of the card.

This is another example of how your debugging code can be a security hole. In this case, the code printed on the backs of the cards were probably added for quality control purposes, so that the contest managers could ensure that the right number of winning tickets were printed and so that the "big ticket" prizes would be evenly distributed among the participating cafeterias.

But it also meant that everybody participating in the contest knows which are the winning tickets.

Comments (27)
  1. tsrblke says:

    Back in the day when I had to flip hambugers part time in school, a certain chain hamburger joint with Arches had a promotion for employee’s whereby doing something "above normal duty" got you a scratch off.  Scratch offs were anything from "Free Hamburger!" to $100 cash on the spot.  (Everything won something.)  Of course when they gave them to the store managers they handed them out in 2 piles.  1 pile was apparently the "large prize" pile (i.e. cash.)  The other was the "food prize" pile.  The managers used this to make sure that the prizes fit to what they thought the employee deserved.

  2. DWalker says:

    A free hamburger from a place where you work flipping hamburgers is not a very good prize.

    A friend of mine worked at a fast food joint (not a burger place) and when the staff wanted to have dinner after work, they always went to another restaurant.  I asked why they didn’t eat where they worked, and my friend said "we spend all day working with this food, and we get very tired of it".  Which is understandable…

  3. Gabe says:

    Giving you a free burger from the burger joint where you work sounds a bit like a sausage factory giving its workers free sausages as prizes.

  4. tsrblke says:

    I never said it was a smart contest.  Most people gave the free food prizes to their friends.  The point was that the real prizes actually came in a different package, allowing the managers to effectively rig the contest as they saw fit.  (We all figured this out because the prizes seemed to scale quite nicely to the extra effort put in.)  What we never figured out is if this was accidental or intentional.

    Lottery tickets have barcodes on the back nowdays to scan winners.  I wonder if anyone’s been able to break that code yet.  (Of course it may not be a code at all, just a database of winnders.)

  5. Mihai says:

    http://mihaiv.wordpress.com/2009/07/17/security-issues-with-sudo

    This article is somehow related with the topic, more exactly with the printer driver example Raymond gives in the older linked article. In a common desktop system how many real users are actually there? Couldn’t work for such a system to have a core user that can do almost anything and to be able to delegate different sensible actions to specialized users (like a specially limited internet browser user)?

  6. DriverDude says:

    "Giving you a free burger from the burger joint where you work sounds a bit like a sausage factory giving its workers free sausages as prizes."

    So is it lame if Microsoft gives out copies of Windows/Office/etc as employee prizes?

  7. pbrown says:

    "Giving you a free burger from the burger joint where you work sounds a bit like a sausage factory giving its workers free sausages as prizes."

    When I worked in a meat packing plant in a former life, it was the FDA inspectors used to give out employees free food "prizes".  That’s about as close to a literal interpretation of the "eating your own dogfood" philosophy as I’ve ever seen.

  8. Chris L says:

    People who work at breweries don’t seem to mind getting free product.

  9. JenK says:

    I remember when the internal tools group unveiled their first client/server app to let employees update their benefits information. A dev poked around, found the server info string, and tried sending a SQL query to the server — and got back all his employee data.  Turns out the SQL server it was using was totally wide open. The IT group was like, "But who is going to know how to send a SQL query?"  Answer?  "Um, this is *MICROSOFT*…"

    Shortly thereafter the server was unavailable and email was sent that the tool was being reworked a bit…

  10. jeffdav says:

    This isn’t a security issue, really, since you don’t get to examine the tickets before scratching to get the ones you want.

    Furthermore, back when I worked at 7-11, I discovered that scratch-off tickets work in the same way.  There is a bar code on the back that you scan on the magic lotto machine and it gives you a receipt for the pay-out, assuming the ticket is a winner.  If its a loser, it says so.  So you don’t actually have to scratch off the play part to know if it is a winner or not, and you should be able to figure out the bar code scheme.  If you wanted to, you could scan all the tickets, buy all the winners and take the cash, and sell all the losers to customers.  Of course, they’d be all disconnected from the nice long roll which would cause some suspicion…

    And, when you do scratch off the play field, there are embedded codes to tell you how much it won.  E.g. there will be a T, an E and an N if it is a $10 winner, F, I and V for $5, etc.  

    [Actually, some cashiers let customers pick their own ticket. -Raymond]
  11. Nicholas Sherlock says:

    If you scan the scratch-off tickets a second time the machine knows and throws up a message saying as much (at least with the New Zealand lottery). You’d have to really, really hope that the customer never asks you to scan their ticket anyway, or takes it to another branch and scans it.

  12. Bob says:

    The security hole caused by the code being correlated with the prize on the ticket.

    If lottery tickets have no such correlation, then working out the number in the bar code doesn’t tell you whether or not the ticket wins, unless you can hack into the database, in which case the bar code isn’t the security hole that people should be worrying about.

    And "embedded" codes that are under the scratch area don’t count – there’s also some plain text that tells you what you won, as well. I think if the cashier started scrating the tickets and only selling the losers, there would be more than just some "suspicion".

  13. someone else says:

    A lottery is no good unless someone gets stoned.

    And I don’t mean that in a drug-related way.

    It’s going to be a good harvest, oh yes …

  14. Falcon says:

    Some Australian supermarket chains print fuel discount vouchers on receipts if a certain purchase threshold is reached (currently, I believe, it’s 4c per litre when spending $30 or more). I managed to (partially) reverse engineer their barcodes and find where the expiry date was stored.

    Not particularly useful, of course, as the date is printed on the docket in plain text, just a fun exercise.

  15. GWO says:

    I can’t see what brings about the presumption that the printed code is anything to do with debugging code.  Presumably its there so the contest organizer validate that the scratch part of the ticket hasn’t been modified.  It’s horrifically bad design, as it was too easily cracked, but it doesn’t seem to be debugging code.

    Am I being obtuse?  What’s being debugged.

    [The ticket distribution process. But mostly, it made for a catchy title. “Information which can be used for something other than its intended purpose can be a security hole” isn’t as catchy. -Raymond]
  16. Brian Tkatch says:

    MSN had an online game of sorts where you had to answer questions about states and the final question was a map to draw a 1-800 number. The winner got a lease or something.

    By looking at the URLs for the question and the correct answer, the answer was really only one character off of the question. Learn what it is, and look at the picture that showed the answer "Yes, the answer actually is 42" and then choose it for the question.

    The worst part is, the URLs looked like a whole bunch and digits and letters. Go figure.

  17. Mark (The other Mark) says:

    In my state, the scratch off lottery tickets don’t quite work that way.

    Yes, there is a barcode that is scanned and tells you if it’s a winner or not- This is a good thing, many of these tickets seems to have somewhat complicated games and you can’t tell at a glance if you’re won or not.

    However, that barcode is under the "scratch off" portion of the ticket. When they check to see if you’ve won, or how much, they have to "scrath off" the coating over that barcode.

    Yes, I admit to having purchased scratch-offs. Maybe even 2-3 in a typical year.

  18. -dan says:

    I basically going to say what jeffday said, although I never worked at a place that sold them.  

    For those who really don’t care about actually playing the games that come on them, you can buy a ticket and have them scan it right away to see if you won.  And with some of those crazy games, it might not be a bad idea.

    The tickets come on big rolls, I’m not sure how on Earth you could pick your own ticket or even see it, unless you find a clerk willing to unroll 50 or so tickets, then break 1 off in the middle and then re-roll the other tickets with now a break in the middle.

    • Not likely.

    To really take advantage of this, you’d have to travel to a lot of stores, and convince a lot of clerks and if you ever did win, you’d then have to dodge the gambling commission for claiming a bunch of winning tickets from a bunch of different stores all with security cameras and broken re-rolled up tickets.  LOL

    I’m not saying someone might not try, but there has to be better ways

  19. tim says:

    Raymond, since I don’t know how to pass this along to the blogs people, I’ll tell you and maybe you can or maybe they’ll see it.

    I’m using Opera.  I visit your blog, stop on a comments page, and leave the page open for a few (roughly 5) minutes.  Up pops a logon dialog wanting a user name and password for blogs.msdn.com.

    It doesn’t happen with IE.  It does happen when sitting on comments pages of other’s blogs, Larry Osterman’s for instance, but his seems to average closer to 10 minutes for some reason.

  20. Rick C says:

    Concerning Jeffdav’s comment about lottery tickets, generally they are only scannable one time.  If you as an employee grab an entire book of tickets and scan every one to find out what the winners are, you will find that any non-big-winners that you leave for the customers will show up as "already paid out" or something similar when the customer tries to cash it.  Also, I am pretty sure the barcodes don’t encode the prize, just a ticket number.  The three-letter codes are a convenience feature for the customer:  you can’t see them until you’ve scratched the ticket.  I recall seeing hardcore ticket scratchers that would buy a ticket and ignore the actual game symbols, and just look for the letters to see if they won.

  21. Brian Tkatch says:

    Raymond, is there an RSS feed for all posts comments (not just this post)

  22. MadQ says:

    Unless you can riffle through all available tickets and pick the one you want, it’s not really a security hole. It just means that you can figure out if/what you’ve won without scratching. Of course, if you’re really good friends with the people who hand out the tickets, that’s another matter.  

  23. DWalker says:

    "If you scan the scratch-off tickets a second time the machine knows and throws up a message saying as much (at least with the New Zealand lottery). You’d have to really, really hope that the customer never asks you to scan their ticket anyway, or takes it to another branch and scans it."

    Um, that doesn’t help in the U.S.:  In the state lotteries or multistate lotteries in the U.S.,  Each store is connected to the central database.  Scanning the same ticket at two different stores will STILL tell the second store that the ticket has already been "redeemed" or scanned.

    I predict that the New Zealand lottery is as secure as the U.S. ones.

    The people who work in the convenience stores and other stores that sell the lottery tickets have no way to know which tickets are winners until they look at the scratched-off part or scan the ticket.

    The barcode itself is a pointer into the lottery’s database; well-designed lotteries don’t use a "scheme" of any kind that is detectable from reading the barcode itself.  These lotteries sometimes pay out many millions of dollars ($100 million is not uncommon) so there is a huge incentive to get it right.

  24. Worf says:

    Most scratch and wins have two barcodes on them. The one the retailer scans to verify your prize is under one of the larger scratch offs, while the other is either a product UPC, or used to indicate which ticket was purchased, so if you steal a roll of ’em, the lotto company sees a bunch of unactivated tickets and doesn’t pay out.

    Sorta like gift cards – they must be scanned to actiate.

    As for picking, most ticket sellers put 4 or 5 tickets on display – you can ask for one of those, or the first one off the roll. You can’t pick any ticket, just one out of a few.

  25. dsn says:

    There was a scandal involving some eastern Canadian lottery ticket vendors.  There was a lottery where the government sold boxes of scratch and win tickets, a certain percentage of which were winners.  The retailer then sold the tickets, and was responsible for paying out the prizes.  Some reatailers realized that they could keep track of the payouts from each given box of tickets, and throw away the remaining tickets, should the remaining payout be greater than the sale value of the remaining tickets.  

    Quite profiable, until the police busted them.

  26. GordonSchumacher says:

    @JenK: Turns out the SQL server it was using was totally wide open. The IT group was like, "But who is going to know how to send a SQL query?"

    ObXkcdRef: http://xkcd.com/327

  27. Matej Horvat says:

    tim: It happens to me as well.

Comments are closed.

Skip to main content