January 12, 2007 12:15 PM PST
Macworld crack offers VIP passes, hacker says
A security weakness in the event's Web site allowed enterprising hackers to get free "platinum passes" to the event, a $1,695 value, a security professional claims. These passes--the most expensive sold for Macworld--included much-coveted priority seating for the Jobs keynote address on Tuesday. In that packed speech, Jobs unveiled Apple's new iPhone.
The hack was possible because special discount codes were available on the Macworld site without proper security, Kurt Grutzmacher, a Berkeley, Calif.-based security professional, wrote on his blog late Thursday. It was relatively easy to uncover the code that would make a platinum pass free, he wrote.
Grutzmacher picked up his free "Platinum Pass" on Monday and reported the issue to IDG on Tuesday, he wrote. IDG World Expo runs Macworld, which closes Friday.
"They'd spent most of the day looking back over their logs and found that others also had found this vulnerability and used it but I was the only one to report it," Grutzmacher wrote.
Macworld organizer IDG World Expo won't confirm or deny that the hack happened. Spokeswoman Charlotte McCormack on Friday said the company simply had "no comment." A representative for Registration Control Systems, the company that handled registrations for the event, referred all questions to IDG.
The claimed Macworld hack is an excellent example of security issues with Web 2.0 applications, Billy Hoffman, a researcher at Web security specialist SPI Dynamics, said in an e-mail interview Friday.
What Grutzmacher did isn't something that any layperson could do. When registering for the event, he discovered that the Macworld online registration page actually contained a list of possible discount codes, called "Priority Codes," he wrote.
This list was not in plain text, though. It was encrypted and showed a number of MD5 hashes, Grutzmacher wrote. The protection was easy to crack, however, because the Web site gave several key pieces of information that enabled a crack. In less than 10 seconds, he had the code that gave him a free platinum pass, he wrote.
"Ultimately, you don't want to give the client everything they need to gain access to something they shouldn't. Validate on the server rather than the client and keep the keys secret," Grutzmacher wrote. "Of course, you also shouldn't use a very easy key that will provide discounted access."