Tickets for the annual Burning Man festival in the Nevada desert are hot supplies, with over 80,000 people registering for the latest release of 40,000 tickets.
This festival started as the burning of a wooden figure on a beach on the summer solstice in 1986 has currently grown to a yearly event that attracts tens of thousands of people. In the last few years, the event has become increasingly popular among the Silcon Valley set, with attendees with Larry Page, Sergey Brin, Elon Musk, Jeff Bezos and Mark Zuckerberg.
Unfortunately thousands of fans who pre-registered to buy tickets but weren’t able to get through the online queue in time, a flaw in the ticketing website permitted some crafty hackers to hack the system in order to jump to the front of the line.
After tickets for the occasion sold out in an hour last Wednesday, Burning Man acknowledged that some people had cut in front of others unfairly when the online sale opened.
In a blog post the next day, Burning Man said about 200 people broken a backdoor in the ticketing website to get to the front of the queue. It guaranteed genuine ticket buyers that the organization was taking steps to address the problem by canceling the fake ticket purchases.
The good news is that we can track them down, and we’re going to cancel their orders. The tickets from those orders will be made accessible in the OMG Sale in August. Of course, steps are being taken to prevent this from happening again in upcoming sales.
Burning Man organized the online sale as “first come, first served,” with a limit of two tickets per person, and required potential buyers to pre-register to receive an email with a link to access the ticketing site. To manage the online sale of the 40,000 existing tickets for the 2015 festival – at $390 a pop – Burning Man used the ticketing organization Ticketfly.
As reported by Wired, expressive the URL for the waiting room permitted people to purchase tickets ahead of the start of the sale at 12:00 p.m. PST – while everyone else had to wait until the start time and click a button to enter the queue.
The type of fault that let the cheaters generate the waiting room URL is known as an insecure direct object reference, a coding vulnerability that allows an attacker to bypass approval and access resources directly by modifying the value of a parameter.