Reverse engineering Ticketmaster's rotating barcodes

Original Article ↗ Hacker News Discussion ↗

Scope of the Reverse‑Engineering

  • Many see this as exposing “security by obscurity,” not a real vulnerability:
    • You must already have a valid ticket and your own session/token.
    • It mainly frees users from the app/DRM requirement, doesn’t enable mass forgery.
  • Others worry about DMCA / CFAA angles and coordinated disclosure norms, but several note:
    • DMCA anti‑circumvention typically concerns copyright, not access control to venues.
    • Recent court decisions narrowed CFAA for cases like this.

What the Rotating Barcodes Are Really For

  • Strong view that SafeTix is primarily DRM and market control:
    • Prevents static PDF duplication and forces resale through Ticketmaster/AXS, where fees and minimum prices are enforced.
    • Locks out independent or “face‑value” resale and reinforces their resale monopoly.
  • Supporters argue rotating codes genuinely reduce scams with duplicated printouts and screenshots.

Usability, Offline Access & Wallets

  • Big pain point: dependence on live connectivity at crowded venues, where cell/Wi‑Fi often fail.
  • System is designed to work offline if the ticket is opened or added to Apple/Google Wallet in advance; several note this is now better documented, but:
    • People forget, apps log out, or tickets are only released shortly before events.
    • Some report real‑world failures at gates and long delays.
  • Many prefer printable or box‑office paper tickets; some avoid installing the app entirely.

Scalping, Pricing & Possible Alternatives

  • Widespread agreement that scalping and underpriced face values drive much of this:
    • Tickets are routinely underpriced relative to demand; arbitrage is inevitable.
    • Ticketmaster and artists can capture resale margin via official resale and “platinum”/dynamic pricing.
  • Proposed alternatives:
    • Non‑transferable, ID‑checked tickets with full‑price refunds via the primary seller.
    • Lotteries or Dutch‑auction/dynamic pricing to reach market‑clearing prices.
  • Counter‑arguments: ID checks hurt privacy and throughput, disadvantage minors and people without easy ID; auction‑like systems may price out less wealthy fans.

Technical & Security Details

  • Core design: TOTP‑like rotating code seeded with a per‑ticket secret, implemented client‑side in JavaScript.
  • Client‑side implementation plus exposed JSON APIs made reverse‑engineering straightforward.
  • Suggestions for “v2”: move secrets to platform secure storage / trusted computing, but:
    • On open devices, determined users can still extract secrets.
    • Offline constraints and security goals directly conflict.

Monopoly & Ethics

  • Many blame Ticketmaster/Live Nation’s venue exclusivity and vertical integration (venues, promotion, ticketing, resale) for abusive fees and UX.
  • Debate over developer responsibility:
    • Some argue working on systems that exclude or exploit users is unethical.
    • Others emphasize economic reality and place primary blame on executives, artists who accept these deals, and regulators who allowed the monopoly.