Hackers reverse-engineer Ticketmaster’s barcode system to unlock resales on other platforms

Hackers have managed to reverse-engineer the 'nontransferable' digital tickets from Ticketmaster and AXS, allowing these tickets to be resold on alternative platforms like SeatGeek and StubHub. The method, unveiled in an AXS lawsuit, takes advantage of security findings published by an anonymous researcher, Conduition, in February. Ticketmaster and AXS utilize rotating barcodes and other security measures, which are akin to two-factor authentication, to prevent ticket transfers outside their platforms. The hackers used Conduition's research to extract secret tokens that generate new tickets, using an Android phone linked to Chrome DevTools on a desktop PC. This has led to the creation of a parallel ticketing infrastructure that can produce real barcodes for sales on unauthorized platforms.

AXS is currently pursuing legal action against third-party brokers who have adopted this ticketing workaround. According to AXS, these brokers are selling 'counterfeit' tickets to 'unsuspecting customers,' even though the tickets often work at event gates. The lawsuit indicates that AXS is unsure how the hackers are achieving this replication. Allegedly, these counterfeit tickets are being produced by accessing and mimicking tickets from the AXS platform illicitly. The prospect of effectively jailbreaking tickets has attracted several brokers, who have reportedly tried to hire Conduition to help them develop similar systems.

Various services capitalizing on Conduition's findings are already in operation, with names such as Secure.Tickets, Amosa App, Virtual Barcode Distribution, and Verified-Ticket.com. This situation highlights the tension between the ticketing giants' desire to control their ecosystems and the resourcefulness of hackers and brokers seeking to bypass those controls. For more details, particularly the technical underpinnings, 404 Media's comprehensive report on the matter is highly recommended.