Advent calendars debugged

A Christmas story on how to cheat in advent calendars and of course some personal information leaks.

Published: Mon, December 31, 2018, 10:00
Category:
Security
Tag:
Information leak

Background ๐Ÿ“… ๐Ÿ”—

At least here in Norway we have long traditions with advent calendars - both as gift calendars for kids and TV shows with one new episode from December 1st until Christmas Eve. In the last couple of decades this tradition has also extended online with businesses having gift calendars where you can typically give away some personal information with a chance to win some prize.

I usually end up answering a few calendars hoping to win something cool, but this year I signed up on quite a few calendars to see if I could find anything interesting security wise. Most of the stuff presented in this post is no big deal. Companies just want as many people as possible to sign up and don't really care about if it's possible to get an advantage. Still I think it's interesting to see how the calendars are built. And then there are the big leaks of personal information.

Circle K - cheat in pre-Christmas competition โ˜• ๐Ÿ”—

Circle K Norge runs quite a few gas stations in Norway. They had a "pre-Christmas game" in the second half of November where you could win a "coffee deal" worth 34 USD (299 NOK). With that deal you get a cup that you can refill with any hot liquids on any of their stations throughout 2019.

The game was easy enough; you had to catch as many as possible of the falling Christmas themed items. You had three chances to play every day and there was a top score list where the top 10 single game scores would win the prize.

So, how could one cheat in this game? Well, that seemed pretty easy. The whole game was run in the user's browser and when the game was over the browser posted back the score to the server.

Technically it wasn't all bad news. I mean, the JavaScript was minified, you had to be identified with your phone number and the requests containing the score was signed by the mentioned minified JavaScript. Of course, the concept of a client telling the score kind of breaks all other efforts. The easiest way to cheat here would be to play one round with the web developer tools open, watch the request and then search for related parameters in the source code. Then one could just set a breakpoint before the request was signed, play another round and then when the game was paused, change what was obviously the points, before letting the script run on.

But is it a big deal? Circle K just wants as many as possible to play and as many as possible to know about their coffee deal. Any cups sold/given away will most probably end up in sales that'll give more profit than cost. Just me writing this post gives them some more free advertisement. But I think it's pretty unfair to the hundreds of people who really tried to play their best day after day for a chance to win this cup. They are the ones that are cheated.

Circle K - cheat in advent calendar โ›ฝ ๐Ÿ”—

December came and the pre-Christmas game closed. The next competition in line for Circle K was a pretty cool "name that tune" type of game where you got more points the quicker you were able to identify and pick the song playing.

The concepts surrounding this game were pretty much the same as the previous one. The game was run in the contestant's browser and then the score was reported back to the server. The way to cheat would be the same as described in the previous game.

There's some mismatch between the invitations to the games, the terms and the in-game text in regards of the actual prizes, but from my understanding the awards were like this: The daily top 10 scores of the game would be awarded the coffee deals (so 240 thermo cups were given away in total), the next 10 best daily scores would get a gift card for a coffee and bun. There's also some talk about a main prize, and my understanding is that that's usually 113 USD (1000 NOK) worth of gas. It's unclear to me if there's a draw and/or if it's related to the total points across all days.

Is it acceptable to cheat in competitions like this? Terms and conditions most often doesn't allow for any kind of fraud, but on the other hand they don't take any precautions trying to stop cheating and let anyone just tell them their score.

Leaking all e-mail addresses ๐Ÿ“ง ๐Ÿ”—

There was this web site with another smaller advent calendar with a daily challenge. I happened to surf by their front page early in December when they just had published an article telling about the new leaderboard that they had made. The leaderboard was loaded in an iframe. And going to the root of that website revealed the usernames and e-mails of all 1000+ contestants.

I quickly wrote an e-mail to them and they responded within minutes and took down the whole webapp in question. They told me that the article telling about the leaderboard was published too early by a mistake. Probably the leak didn't last for many minutes. Because of the short duration of the leak and the small amount of e-mail addresses I don't feel very comfortable naming them. (But it's probably a good idea to not expose webapps with personal information to the Internet even during development.)

The biggest leaks ๐Ÿ’ง ๐Ÿ”—

There were some advent calendars that used a third party system that I have reported several security issues to. We're talking about millions of names, e-mail addresses, phone numbers, and in some cases addresses, names and birthdays of kids, purchase history, national identity numbers and passwords. I will wait until they have fixed everything before doing a write-up or two about them.

Fjordkraft - exposing their admin UI ๐Ÿ–ฅ๏ธ ๐Ÿ”—

The power company Fjordkraft and their subsidiary TrรธndelagKraft had their own advent calendar with a daily prize of 568 USD (5000 NOK) in cash.

What they also had was a good old AngularJS app which had a "flaw" often seen on the web: The JavaScript revealed the path to other parts of the application. And what it revealed was the path to the admin interface used for getting statistics and draw a winner. There was even a frightful function that was called Reset database. The admin UI was so in the open that I have a small hope that it could be a honeypot, but I doubt it.

Luckily there was some sort of code needed to use any of the functionality. And that's really why I didn't bother to report it to them. I just hope they didn't use a simple code word like "santa" or "xmas2018".

Others - giving advantage to web developers ๐Ÿ‘ฉโ€๐Ÿ’ป

Most of the online advent calendars have a daily question with a few alternatives. Many of the calendars are so nice as giving the correct solution of a question - either in the JSON or markup alongside the question. Of course the companies with the calendars don't care too much about this as they just want people to join in.

For me this is different from the Circle K competitions where you were guaranteed to get a physical prize if you just give a high enough score back. In these other cases you are at max given an advantage when there's a draw in the daily or final lottery.

Mester Grรธnn ๐Ÿ”—

The florist Mester Grรธnn had one of the calendars giving a little advantage to a web developer. The JSON clearly stated which answer was the correct one, and in many cases that would be a quicker way of finding the answer than googling, or looking at their web site. Of course, it's no big deal.

Kiwi ๐Ÿ”—

The supermarket chain Kiwi had an interesting twist technology wise. Also in this case the JSON clearly stated which answer was the correct one. But what's more, it gave the opportunity to just return true for the answer for a given day so you didn't really have to look at what was the correct answer. And - while I haven't got it confirmed - it looked like you could just fill in the answer for all weeks at once.

kode24 ๐Ÿ”—

The news site for coders kode24.no had an entertaining calendar. Every day it gave a new small puzzle - typically involving some use of the browser's developer tools. While this didn't directly give a big advantage, it let you stay ahead of the game by letting you solve the puzzles for the following days by directly requesting the contents of the puzzle "file" (which was practical if you were short on time some days). A simple Curl command made it all very easy to use:

for i in {20..24}; do
  echo '\n'$i:
  curl 'https://kode24-jul2018.herokuapp.com/api/files' \
  -H 'Content-Type: application/json' \
  -H 'Cookie: id=[valid user id hash]' \
  --data-binary '{"path":"\'$i'-DES","fileName":"HINT.TXT"}'
  sleep 1
done

20:
{"content":["To legender, fra Porsgrunn den ene.","Slรฅr etternavnene sine sammen,","og skaper en kode av glede."],"type":"txt","name":"hint.txt","size":256}
21:
{"content":["Nรฅr jeg dobler dette tallet,","og plotter det inn der artiklene deres bor,","finner jeg en spillmaskin,","som er dagens kodeord:","35262282,5"],"type":"txt","name":"hint.txt","size":8}
22:
{"type":"error","content":"Fant ikke fila di."}
23:
{"content":["mine to favorittfolk,","fra min favorittserie.","slรฅ dem sammen,","sรฅ lรธser du kodens mysterie."],"type":"txt","name":"hint.txt","size":256}
24:
{"content":["Siste innspurt, du har vรฆrt flittig som bien.","Denne her blir ekstra vrien.","Reisens start, er per e-brev.","Send meg et pling, fรฅ tilbake et stev."],"type":"txt","name":"hint.txt","size":256}

And even though you couldn't actually answer the puzzle for a future day, it was possible to verify that you had the right solution:

curl 'https://kode24-jul2018.herokuapp.com/api/code' \
-H 'Content-Type: application/json' \
-H 'Cookie: id=[valid user id hash]' \
--data-binary '{"path":"\24-DES","code":"julekos"}'

{"type":"txt","content":
  ["** Passord korrekt: Server er allerede autorisert. **",
   "Trekningen for denne dagen er over. Gรฅ til dagens konkurransemappe, 22. desember",
   "** OBS! Du fรฅr kun poeng for รฅ svare pรฅ dagens konkurranse."]
}

Privacy ๐Ÿ” ๐Ÿ”—

It's interesting to see the different information the different calendars ask for. What is really needed to draw a winner and/or send any desired information to the end user? E-mail or phone number should be sufficient I suppose. Maybe a (first) name is ok?

The different types of information the calendars asked for were these:

  • First name
  • Last name
  • E-mail address
  • Phone number
  • Postal code
  • Membership number
  • Favourite store
  • Gender
  • Full address

Why on Earth would you ask for the gender and address to be part of a draw? Even worse - user experience wise - was that you in some calendars had to fill in all the information every single day.

A few calendars even forced you to sign up for a newsletter to able to participate in the competition. I must say I liked Vipps' Messenger calendar where they used Microsoft Forms to collect names and e-mail addresses and clearly stated in one line that the information would only be used to contact the winners and that all information would be deleted when the contest is done. It doesn't have to be harder than that.

Some observations and user experiences ๐Ÿ”ญ ๐Ÿ”—

I did some more observations I wanted to add at the end here.

Dark pattern ๐Ÿ”—

The alarm company Sector Alarm had a very interesting feature which can't be described as anything but a dark pattern. From Wikipedia: 'A dark pattern is "a user interface that has been carefully crafted to trick users into doing things, such as buying insurance with their purchase or signing up for recurring bills."'

Of all the calendars that I tried out this year Sector Alarm was the only one who had a checkbox with inverted logic. One of the checkboxes you had to take a stand on every day said "I don't want to receive a security alarm offer". While this seems to be formulated to trick people to sign up for something they don't want, they made it worse by suddenly one day rephrase the checkbox to "I want to receive a security alarm offer". So if you were used to tick the box you suddenly had to re-read it and take a new stand on whether to check it or not. I wonder what they do if you in the middle of December say you want to be contacted, but the rest of the month say no.

E-mail to Facebook post to Facebook app to iframe ๐Ÿ”—

Intersport's reminder e-mail for the calendar linked to a URL that redirected to a Facebook post which was just a link and post telling that the calendar for that day was opened. Then you had to click that and have a new browser tab opened and go to a Facebook app which again was an iframe to a Fanbooster application which was the actual calendar. Were they trying to make the user experience worse on purpose?

Intersport's not-so-good user experience went from a little annoying to bad when they a) forced you to fill out a lot of fields every day (while most calendars would use a cookie to remember the little info they wanted you to fill in), and b) every single day make you search for and select your favourite store from the 100+ elements drop down.

"no reply"
I got like 20 calendar reminder e-mails every day (๐Ÿ˜ฑ), and the e-mail subjects and sender names made sense - except for one. Kitch'n used a "no reply" sender, so it was the only e-mail you wouldn't know who was from.

(Gotta love their name btw. Using an apostrophe in their name (') means that most people will spell/type their name incorrectly. And guess what, they even do it themselves. In their e-mails they use acute accent (ยด).)

Leaving the user with that bad feeling ๐Ÿ”—

Skoringen had a special twist on their calendar. They had a scratch calendar where you got X tickets for the lottery, and then they typically had a simple game you could try. When you finally managed to win the game you got this message with "Unfortunately, one cannot win every time". I don't know what it was, but you had this feeling for 2 seconds where you were satisfied and happy for winning the game, but then they just finished you off by saying you didn't win.

Session expired ๐Ÿ”—

I had this case with Mester Grรธnn's calendar where it suddenly said "Your session expired. For your own security you need to refresh the browser window." Really? For a calendar? If you can just refresh the browser to continue, I'm sure you could've have solved this in a better way. ๐Ÿ˜€

julekalender.no won Christmas
Most calendars I tried out was using julekalender.no's platform for their calendar. They really seem to serve more advent calendars than all other platforms combined. And it looks like a good platform - at least from an end user's standpoint. It's easy to use with no fuzz and they remember your personal details from one day to another. Also they don't - at least out of the box - ask for too much of personal information.
410 Gone ๐Ÿ”—

The developer in me was fascinated by Fjordkraft's API endpoint /api/calendar/isbeforedecember which returned the HTTP status code 200 OK before December and then 410 Gone in December. ๐Ÿ˜ƒ

Wrapping it up ๐ŸŽ ๐Ÿ”—

These were my observations of testing out quite a few online advent calendars. It was pretty much as expected; mostly ok, and then a few ways to cheat your way to prizes and some small and big leaks of personal information. Stay tuned for details on the biggest leak of them all.

Get notified when there are new posts! :-)