Reverse Engineering Ticketmaster's Rotating Barcodes

Really good post! I also found this quote which distilled their position in the 404media coverage of the situation.

> “What I can say for sure is that TicketMaster and AXS have had every opportunity to support scam-free third party ticket resale and delivery platforms if they wished: By documenting their ticket QR code cryptography, and by exposing apps and APIs which would allow verification and rotation of ticket secrets,” Conduition told me in an email. “But they intentionally choose not to do so, and then they act all surprised-pikachu when 3rd party resale scams proliferate. They're opting to play legal whack-a-mole with scammers instead of fixing the problem directly with better technology, because they make more money as a resale monopoly than as an open and secure ecosystem.”

from https://www.404media.co/scalpers-are-working-with-hackers-to...

I'd also like to highlight another bad practice by Ticketmaster.

When you purchase a ticket from them and resell it on their marketplace, once someone purchases it, they(Ticketmaster) hold your funds and only give you the money ~7-14 business days after the event is over. They say this is to verify the validity of the ticket.

On the buyer side, you purchase the ticket from the marketplace and it gets added to your account immediately. (I think) You get the barcode some time ~1 week before the actual event begins.

The confusion for me? Ticketmaster owned the ticket and all logic relating to the validity of it. The logic to validate this shouldn't be complex at all. They OWN the ticket. They KNOW it's legitimate because it never left their database. Yet they double dip and hold both buyer and seller funds. Events can be close to a year in the future but the seller won't see that until after that event ends.

I hate TM and ridiculous fees as much as anyone, but this article is overly hyperbolic.

There's a section named "Pirating Tickets", that just explains how to re-create a barcode that you already paid for. You're not using this to rob anyone of anything.

And at the end, "Have fun refactoring your ticket verification system". Why? There are no vulnerabilities here. A rotating barcode (even if following a known pattern) is still more secure than a static barcode on a piece of paper.

This sort of ticketing thing is a trivially solvable problem. It is solved at every airport in the entire world millions of times per day. You provide the name of each concertgoer when you buy a ticket, and they show up with their ticket and ID. You often need to show your ID at these kinds of venues to prove you're old enough to drink beer anyway.

With regards to the end of the article.

> Can I work for a bad company and still be a good person?

> No.

https://apenwarr.ca/log/20201121

It's baffling that you have to carry a mobile phone to access a show. What if you run out of battery? Or if you accidentally break the screen just before entering the venue? The more the technology evolves the more we find horrible uses for it. People should fight back by refraining from purchasing tickets from them, I know is not easy for people to miss their favorite artist but until a monopoly is broken there is no other effective way to prevent them from doing what they want.

I worked a summer job in a Ticketmaster box office ten years ago and had access to the whole of their UK customer database in order to print off ticket collections. I’d type in a customer’s post code and up came all of the data Ticketmaster held on them… including their password in plaintext.

Does anyone knows how Ticketmaster works, really?

I have been to Ticketmaster events that use reasonably priced, printable tickets, you could even buy a printed ticket with cash. In fact, even though there are so many Ticketmaster events, they are not all working the same way. And Ticketmaster doesn't have the monopoly on shitty practices, the article gives a good example in the beginning.

What I suspect is that Ticketmaster is nothing more than a service provider. The venue/event organizer/... looks at the Ticketmaster catalogue and pick the product they want. There are "evil" products in that catalogue, and they are probably the ones with the best returns, but I am sure people have a choice.

I'd even go as far as calling Ticketmaster "Evil as a Service". So people can say "fuck Ticketmaster" instead of saying "fuck Taylor Swift". I would be very surprised if artists (and their agents) at the level of Taylor Swift didn't have a say regarding ticket sale practices, even with Ticketmaster.

Of course, the monopolistic practices of Ticketmaster are a problem, people are most likely paying more than they should because of it, but all the crap with apps, resale platforms, etc... I am pretty sure the event organizers, maybe the artists themselves are as much to blame.

> If you take a closer look at your ticket, you may notice that it has a gliding movement, making it in a sense, alive. That movement is our ticket technology actively working to safeguard you every second.

This part made me want to throw up, preferably a couple of buckets full, right onto the heads of the marketing team who came up with it.

Kudos to the author of the article. Great work and a great read to go with it.

How about the “Add to Apple Wallet” option? He did not talk about that at all, but AFAIK the ticket would be fully available offline and not in Ticketmaster app, no? It’s actually an elegant solution IMHO.

A few months ago I went to Las Vegas to watch U2 at the Sphere. When I learned that I needed to open the app or website in order to get in I panicked in fear of the shitty internet that is common in massive events, so I opened my tickets since I left the hotel. Unless this stuff works completely offline, it is a terrible idea.

There's a faire this week in Oregon that draws people in from 500 miles away.

I've been a couple times, and what I've learned that was still not common knowledge to faire vendors as recently as last year is that T-Mobile brings out a mobile cell tower to support the faire, and no other cellular network does.

So if you're trying to accept electronic payments, the whole thing tends to fall over and you only get to sell to people who brought loads of cash and prioritized hitting your booth first. Only the vendors on T-Mobile are able to take purchases for a big part of the day, and a few other people who use the rare billing system that is fine queuing up Visa transactions until after the bulk of people leave. The line for the cash machine sucks up a substantial part of your time budget for the faire, meaning you probably miss out on some things altogether.

Off topic (though the post does go into it a bit): Ticketmaster's current form is entirely due to a failure of government. Decades from now, case studies will be written on how one company managed to have a monopoly on an industry that is so not a natural monopoly.

I recently purchased tickets via SeatGeek and was provided a link to one of these barcodes, which accepted as a querystring parameter an access token that seemingly had a long expiration attached to it. It was hosted on “downloadmytickets.com”, which doesn’t look legitimate and caused me to do this same type of analysis to see how it all worked. Whether or not this was a way to bypass the “security” to enable sale via third parties, or just a very untrustworthy-looking official domain, I don’t know. But in the end it worked fine at the venue. Definitely more stress involved than I would have liked though.

> My phone has no internet connection...

Who thought it was a good idea to require an internet connection at an event. For anything, not just ticketing. It is as if the people who designed these apps never went to a large event.

No internet is the rule, not the exception. Sometimes, you can't even send a SMS. Apps designed for use in events should always work offline, and if internet use is justified, take into account latencies in minutes and use bandwith sparingly. Failing to do that will make the experience terrible for everyone, as bandwidth will be saturated by thousands of phones trying to do something with that damn app.

At least Ticketmaster does it somewhat right here. The app is supposed to refresh the ticket 20 hours before the event, to account for the fact that the internet may be unavailable at the gate.

> There’s no risk that your ticket won’t get you in

Isn’t this not true? The risk with printable tickets is that a seller could sell it to multiple people, who all print it out, but then only the first person who uses it can get in?

Even if the venue doesn’t check to see if a ticket has already been used, only one person can sit in the actual seat.

Let's face it, the real problem with ticket sales is scalping. OP may not like Ticketmaster, and doesn't want to install the app, but the majority of fans don't have a problem with that. The real problem for most fans are the scalpers who push prices out of their budget.

Of course we all like to dream up all sorts of technical crypto solutions to this, preferably decentralized to remove evil Ticketmaster from the equation. But I don't think the ticket scalping problem is a technical problem per se. I believe it is because tickets are currently sold under the wrong terms, which encourages scalping.

A possible solution could be to make tickets non-transferable, but always refundable. So only you (the buyer of the ticket) can use it, but you can't resell it. But if you decide not to go, you should be able to refund the ticket to the ticket office for full price. The ticket can then be sold again to someone else, for the same price.

Now, of course this is a naive idea. There are many practical and technical challenges to it, not to mention the politics of the entertainment industry. I'm not too familiar with the event industry, so I'm not sure if this would even align all the incentives, but it would benefit the fans and the performers who care about their fans.

Nice reverse engineering! As a hacky way for the non-tech-savvy, couldn't you use a temp account to create ticketmaster account and then buy the ticket and then sell the temp account information to bypass their rules?

This reverse-engineering also breaks if ticketmaster forces venue staff to only scan if the barcode is in the ticketmaster app. Unless you create a lookalike app to trick the staffers.

Great read, though I am compelled to comment on this ad-hoc date/time conversion:

    $ date=$(python3 -c 'import datetime; print(datetime.datetime.fromtimestamp(1707074879).isoformat())')

Consider reaching for `date` from GNU coreutils instead:

    $ date -Is -d @1707074879

Fewer keystrokes, faster execution, and the output includes the TZ offset.

It's one thing for customers phones' wifi issues to be a problem, but it's an even worse problem if the scanner itself needs reliable connectivity. That makes me wonder if there is some kind of delegated deterministic derivation step in the secrets too (which wouldn't be obvious in this kind of analysis), so that the handheld scanners can avoid an on-line dependency.

I don't understand how they're allowed to get aorund the first sale doctrine?

Once I buy a ticket, it's my property. I should be able to sell it, by any means I want, to any person I want, at any price we agree upon.

v2 of this will require an Android/iOS app which will make use of the platforms secure storage abilities for the key.

On non-rooted devices, those are pretty much impervious to the user trying to inspect their contents.

>Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies. You’re using them to exclude people from entertainment events.

I can definitely think of worse things programmers are doing aside from making it mildly difficult to see Taylor Swift .

I have personal qualms with working in certain industries because of this, but Ticketmaster ultimately provides a luxury. You don't need to see a concert, and if you have such an issue with their business practices you can do something else with your Friday night .

I've actually never had an issue with Ticketmaster. At a point a certain other ticket provider just blocked me without any explanation, and I had to go down to the box office to buy tickets. That sucked, but compare to airlines who do weird things like print off tickets without the actual seat number, Ticketmaster doesn't bother me too much.

A $COACH_COMPANY in the UK has recently announced that they are moving to only app-purchased tickets. Except tickets purchased directly from the driver, which is VERY expensive.

Well, F.U. $COACH_COMPANY. I don't want to have to install your app for that, but I guess I won't have any other option if I need to get to the airport.

> "Screenshots won't get you in"

I'd say this highly depends on the fastidiousness of the ticket taker and the rules of the venue. I purchased Major League Baseball tix recently through my employer which uses a 3rd-party seller site that has restrictions like this (a moving graphic behind the barcode with the admonishment not to take a screenshot because it won't work).

I was unable to attend the event that night so I sent my wife a screenshot of the ticket. Two tickets, in fact. They were taken with zero issue.

> I paid three hundred US dollars for this high-tech experience.

That's a good incentive for companies to keep up with the "high-tech experience".

> Software developers are the wizards and shamans of the modern age.

No they are not. The big difference is that wizards and shamans closely guarded their secrets to keep their position secure, while software developers will happily give them away to as many people as possible.

This means that software developers as such have close to zero leverage.

A system like that could work in an entirely disconnected mode where the "ticket" device has a cryptographic token whose signature can be checked at the door without either side having internet access. The weakness of that system is that you can't "revoke" or sell tickets. Such revocation would be possible though if either the ticket or the validator device is internet connected.

I saw the New York Red Bulls play not long ago and had to use Ticketmaster's system for the first time. I travel with a tablet, not a smartphone, and I was expecting trouble. Turns out the only trouble I had was that they didn't want to let me in with a tablet but they did when I explained my ticket was on my tablet. It did require an internet connection but Red Bull Arena has great WiFi so that was no problem.

> Based on this, it might be reasonable to assume the rawToken is only valid for a 20 hour period

Bet your bottom dollar it’s good for 24h and they added 4h of buffer in their API guidance to handle admissions after the start of the show “for free.”

Not that this really gets you anything, just made me chuckle.

One things this articles kind of misses: You need that unique token... Ok, you can get it in some way.. But ticketmaster should keep it private, then, even if you know the algorithm. You still cant do a lot without the token......

So he reversed engineered it, but its still secure: You need the token.

It's a little bizarre to me that they are annoyed at being dependent on the signal but want to avoid Google Wallet because ... privacy? What privacy do they have so far? I can understand keeping your credit cards off of it, because Google is obviously getting a list of all your purchases. But there's nothing really private about having a ticket to a concert through Ticketmaster. They "take your privacy seriously" and sell your information to commercial partners and send you offers of things they think you're interested in.

What I find really interesting is that there are so many scams that that the rejection of tickets is common enough to go unnoticed. Someone testing out their new "F-ticketmaster" ticket generation tool is free to test it in the real world. If it doesn't work they will simply be turned away the door like so many others who have been scammed. Nobody would notice the test.

But if each ticket is for a particular seat, would ticketmaster notice if too people came with tickets for the same seat? I bet not. I bet they just trust their ticketing system to be foolproof. If anything they might just reject the second ticket without any way to know which was authentic.

Reading this reminded me when last year I found a few old venue printed ticket stubs to concerts I went to the in the late 90's and 00's. I almost threw them out when I realized they weren't really taking up space and could be maybe put into a collage or photo/scrap book. I just suppose I find it laughibly absurd that something as mundane as a ticket stub was replaced by an energy wasting Rube Goldberg contraption that doesn't do anything for the person who wants to go to the concert.

I agree with the bad implement but the opening complaining that "old way of printable tickets was great why change it" have so many problems.

Scalpers are the problem that you have to accept. At the time of purchase, there's no way to tell the difference between a legit purchaser and a scalper or even someone who bought it and simply can't go and needs to resell.

IDs, ticket limiters, CCs, etc, etc. All methods can be circumvented by someone dedicated enough. You can only make it "not scalable" but the tickets still need to be transferable, securely.

Unless we're willing to go ID checking at the gate, there's not going to be a true solution.

> TicketMaster markets their SafeTix technology as a cure-all for scammers and scalpers

Scammers - yes; but how scalpers? Does this mean there is no way to resell or give the ticket to another person?

Edit: The answer was couple of sentences later; looks like yes, unless via an official marketplace. I like this even less than scalpers.

"SafeTix makes it harder for people to resell tickets outside of TicketMaster’s closed, high-margin ticket-resale marketplace, where they make a boatload of money by buying low and selling high to customers with no alternative."

> Shame on you for abusing your talent to exclude the technologically-disadvantaged.

Very minor nitpick: I don't like the term "technologically disadvantaged" here. While it is undoubtedly true that there are many people who are without smart phones due to economic reasons, or because their battery died or their phone was just stolen ... there are also lots of people, myself included, who would CHOOSE to forgo a smart phone when attending a concert / event.

My wife and I live in a city with a Caesar's hotel and casino within walking distance. When there are shows and concerts we are interested in, we don't hesitate to buy tickets. When we go to such a show for a date night, we would like to leave our phones at home. Some of this might be due to our being middle aged, and so we're not glued to our phones 24/7, but it's also just a hassle to bring them through security, and to often have to put them in those lock bags because they don't want people recording etc.

So to us, e-tickets are evil for no other reason than the fact that it assumes that we want to have a phone on us and to use it as a ticket. I will happily pay the fee for a physical ticket whenever available.

People always cite exclusivity deals / monopoly power when it comes to Ticketmaster's dominance, but I also recall reading post-mortems about several failed competitors that indicate the problem Ticketmaster solves (massive spikey demand with strict guarantees on the seats selected) is quite technically challenging. I know, it doesn't seem like it would be that hard to solve, you're probably already thinking how you would do it. But you can't ignore that many others have tried and failed.

I got tickets for a concert in UK, which could only be bought if you had UK Ticketmaster app. No, the international version of Ticketmaster app did not have these. Had to get me a blank Android phone, had to initialize it pretending I'm in UK via VPN, so I can see the UK Android Playstore (got my phone number blocked by Google in the process - "too many verifications from this number"). Then, it finally let me get the tickets and actually see the dreadful barcode in the app.

This is horrible. Please stop.

Impressive. I had no idea mobile-only tickets are a thing. For me it's always been the other way around because sometimes some events would insist on a printed ticket even if it comes as a PDF with a barcode. This sort of thing became annoying enough to me that I bought a printer.

But then ticket resale online marketplaces aren't a thing around here either. When people resell event tickets, it's usually an entirely DIY affair.

> They can’t have robust DRM on their tickets if those tickets can still be viewed offline.

Of course they can. All they need is a secret key embedded somewhere that the app can access but you can't. It's just a happy circumstance that they used a simple protocol in which the key is easily extracted. But they could have used a proper PKI protocol instead, which would have made it much harder, if not impossible, to hack.

https://archive.md/hrgE0 / http://web.archive.org/web/20240521005653/https://conduition...

Great post. While I'm all for messing up greedy companies, this is a clear example of why JavaScript should never be used for security. Executing the code locally, plus the ability to read the source code, fundamentally goes against securing your application. It doesn’t mean that not having those will make the application more secure, though.

Another case of abusing ToTK, an excellent technology that promised convenience, security, and offline access. Similarly, Duo builds their stuff off ToTK and then fending off (or makes it very, very hard) you from using a third-party ToTK authenticator with their sites. This company just jettisons the fine promise of available offline that was made by ToTK.

Very cool post, but as someone who has been on the other side of the situation, I do have sympathy for what they are trying to accomplish.

I bought a ticket that someone had double sold, and by the time I got to the door, they turned me away and said the ticket had already been used. So their system has good intentions, they just need to make it work offline.

> This ticket is digital. Saving data offline is the same as copying it to your hard drive. If data can be copied, it can be transmitted. If it can be transmitted, it can be shared. If it can be shared, it can be sold.

Is this still true in the age of locked-down bootloaders, secure enclaves, TPMs etc?

Fantastic article. Really easy to understand.

Side note: this is actually a great advertisement for server side rendering! If they didn't do all this client side rendering, exposing data in JSON APIs, then I doubt this reverse engineering would have been possible.

Isn't this vulnerable to ticket 'selling' by simply sharing the username and password of the ticketmaster account?

it's not like a ticketmaster account is 'worth' anything, so the seller can simply set up a new one for their next purchase.

Would be interesting to see the same done for the UEFA ticket app. They use QR codes that are activated/visible only when the user in on site, detected via Bluetooth. They claim that secondary use is then not possible.

> If you take a closer look at your ticket, you may notice that it has a > gliding movement, making it in a sense, alive.

I feel like I am in a Disney movie.

What's the deal with PDF417? Why did they choose it over QR?

This was a fun read. I wonder if they reported it to a bug bounty program of theirs. Based on his writing how he feels about their business I'm going to guess no.

> This is a contradiction in TicketMaster’s marketing. They can’t have robust DRM on their tickets if those tickets can still be viewed offline.

The "robust DRM" is called "ID cards". Here in Europe, it's become commonplace to tie soccer tickets to ID cards that are verified at the gates to keep hooligans (or those suspected of being hooligans, which is a status that is way WAY easier obtainable than one might reasonably assume) out, and high-class events that attract scalpers like a pile of dungs attracts flies have been doing that for even longer.

I wonder why did they implement this gimmick while having access to all the resources in the world. Or maybe they thought that this is smart.

I can't buy a ticket in my country, because my phone number is foreign. Can I use this to have someone buy it for me and transfer it to me?

Truly a noble cause.

Great post, bummer this will probably mean we can no longer use this as soon as the implement something stronger.

Shitty companies doing shitty things. I think this is the expectation in 2024.

I get the loathing for Ticketmaster and all, but can we just also acknowledge that the only reason they can do what they do because the various entities they collaborate with participate in the monopolistic cartel scheme?

Can we also please acknowledge that if people stop going to the things Ticketmaster sells tickets to, they will stop these practices? No one is forcing people to participate in these things; I don’t.

Lastly, it even calls itself Tomicketmaster. And you didn’t realize you are a Ticketslave? It is right there, in the name! Right in front of your eyes!

It always amazes me what they can get away with and people just behave like buffalo on the Serengeti, stampeding through the crock infested river … “those crocks are the worst! Ok, Karl, we are up next”

Instead of chiding your TicketMASTER devs and alpha slave MBAs, maybe stop being a TicketSLAVE altogether. Has that dawned on any buffalo?

Fun fact, to drive the point home. Guess how the predators of the Serengeti are treated when they want to go to an event. You think they deal with Ticketslavery even though the Ticketslaves is how the cabal makes its money?

Mirror this before it gets a DMCA takedown or something.

you can add them to your apple/google wallet and boom internet doesn't matter, but he ignores that.

"besides the fact that I don’t want to install their spyware on my phone."

There's no other mention of spyware in the article - does anyone know what this is referring to?

I know the discussion has drifted into the larger realm of ethics and civic responsibility. But with respect to the original title, I always thought that it would be trivial to create a software 'tumbler' the logic of which was based on primitive examples, such as this. Edit: each user could have thier own initial state. https://en.wikipedia.org/wiki/Alternating_step_generator granted you'd need to ramp up the bits to make them less crackable. Then all you'd need is some translation to 2-d QR scancode graphics and a silly sliding bar and voila! Ticketmaster hegemony.

But yes, its disgusting that i've needed a phone for events...

The solution to scalping is simply to not buy tickets from scalpers. Never did, never will.

How hard is that really?

> I now know everything I would need to duplicate TicketMaster’s barcodes

Until they change their encoding.

Requiring the installation of a proprietary app to do anything should be forbidden.

> If they had issued me normal, printable PDF tickets I could save offline to my phone

Uhm, you can save the tickets to Google Wallet.

1000

This is Gold - but also Ticketmaster is a evil monopoly

Disclaimer: This isn’t from a real SafeTix barcode. I don’t want TicketMaster to be able to identify and harass me.

Bullshit, TicketMaster. It’s a CSS animation. Get over yourself.

I think we can all agree: Fuck TicketMaster

super entertaining read! many thanks.

Reverse engineering? More like “reading plain English”!

For a billion dollar corp that is some atrociously poor security

Agreed, fuck Ticketmaster. Sincerely.

nice, more of this please. the constant abuse through everything digital has to be fought

I am sure this is pointed out elsewhere, but ticketmasters business model is based on lying to the public so that the artists and venues don’t have to.

Taylor Swift is a nice-ish person and wants her fans to think they can buy tickets for her shows at about 25 bucks because that’s a lot of money for a 12 year old and she does not want to alienate her fans.

Her manager is an evil cackling bastard and wants to get as much as he can.

He knows if he sells all the tickets for 25 bucks he will lose money in the tour and the people who resell the tickets for 2000 will make 1975 dollars profit.

So he does a deal with ticketmaster.

They will sell 100 seats at 25 bucks, then announce “wow that sold out quickly” and then pretend that the other 5000 tickets they have are sold, and then resell them on secondary sites (ie ticket master is actually selling you orignal tickets through secondary markets).

Then they give the cash to the evil manager who twirls his moustache.

All the rest, the adding extra charges at end of sales process, the ridiculous rush to buy at a given moment in time instead of some auction or lottery, the whole thing of backhanders to venues, all that is secondary to enabling Taylor swift to take a huge cut without seeming like a evil moustache twirling money grabbing manager.

> Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies.

This is one of the most powerful truths underlying the world we currently inhabit. The sooner we can agree to behave accordingly, the better our prospects for ripping the reigns of society from the hands of those whose only animating principles are avarice and exploitation.

> I remember a time when printable tickets were ubiquitous. One could print off tickets after buying them online or even (gasp) in-person, and bring these paper tickets to get entry into the event when you arrive

I go to 1-2 concerts a month so I'm well aware of how scummy TM is, but the problem with PDF tickets is that people sell fakes or sell the same ticket multiple times. I know multiple people who've been scammed this way. I get not wanting to use your phone for everything, but the changing barcode isn't just technology for the sake of technology, it's actually there to solve a problem.

> PDF tickets work even if your phone loses internet connection

So do the digital barcodes if you add them to your phones wallet.

TM even sends you an email before every event that says:

>> If you haven't already, download the Ticketmaster app or sign into your Ticketmaster account via mobile web. From My Events, tap view then add tickets to your phone's wallet for easy access at entry.

TM's help page for the Mobile Entry tickets also says (https://help.ticketmaster.com/hc/en-us/articles/978659778561...)

>> We encourage you to download your tickets to your digital wallet before you leave for your event. This ensures that you can always access your tickets.

> If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller), you know for sure that they’re real.

The problem is that that isn't how the real world works. Ignoring the massive scalping problem currently happening (that TM is complicit in) sometimes plans change or people learn about events after the initial sale. Personally, any time I have to buy or sell through a reseller, I use StubHub, but I know plenty of people who don't want to use them as they charge high fees and they aren't much better than TM from a moral stand point.

Also, I get the impression that if TM locked all tickets so that they could only be resold on TM, the author of this article would have a problem with that.

People here have no clue how much it costs to pay for a tour.

Up to $1M per week.

Isn’t this a bit like irresponsible disclosure? Since this may be considered a security vulnerability. Although it’s all client side, I’m sure there’s some basis for a lawsuit here.