Testing Ultra Hong Kong’s ticketing website

Background

The ticketing agency for Road to Ultra: Hong Kong is Festground HK. As I want to go to the festival, I need to purchase some tickets. Part of this process requires me to enter personal details and credit card information. I’ve never used this website before, so I don’t know whether I can trust it. First thing’s first. The website is not secure, it is http, not https. Conclusion: I do not trust this website and I’m not going to buy tickets.

I decided to read their private policy, because it helps to pass time on my commute. The section on security seemed a bit suspicious and very untrue. A quick Google search and you can find another 8000 websites with the same security policy. (Disclaimer: I only checked the first page, not all 8000+ results)

Security

This site has security measures in place to protect the loss, misuse and alteration of the information under our control. Our database servers are protected from intruders by a Cisco firewall router and your credit card transactions are enacted using 128-bit SSL encryption. We may be required to release personal information about you as a result of a lawsuit or subpoena or as immediately necessary to protect our rights or the rights and safety of others. Additionally, “perfect security” does not exist on the internet.

Having used their website, I’m pretty sure they are lying when they say that my “credit card transactions are enacted using 128-bit SSL encryption”. Let’s find out…

Steps

1) Listen to the network

I’m going to use Wireshark to see what is being sent from my network to festgroundhk servers. I already know the IP address of the server I want, so I can use the following filter:

ip.src == 52.196.141.129

2) Think of some of test data

  • Name: Test Softwarb
  • Date of Birth: 16 September 1997 (celebrate 20th birthday at Ultra)
  • Email: test@test.com
  • Phone Number: 88888888 (if there’s no encryption, I’m going to need a lot of luck to protect my data)
  • Card Number: 1234 1234 1234 1234 (I can only count to 4)
  • CVC: 123
  • Card Expiry Date: 09/2017 (Should be able to use this card at Ultra)
  • Zip Code: 999077 (Hong Kong)

3) Buy a ticket

Obviously I cannot buy a ticket because the card details are fake, but I will be able to see whether the credit card transactions are enacted using 128-bit SSL encryption. I will still send the card details, but instead of ticket being issued, the server will just send me a message saying that there is a problem with my card details.

Results

Enter details:

Check Wireshark:

And there it is my data, completely readable and completely not 128-bit SSL encrypted. I say readable, it’s readable when you copy and paste it in to a text editor.

fgTranId=BKXCEM&_token=qTbqRHZgPus8ZNY2FzdESfThZr37azKH4lWZGjp7
 &attendees%5B0%5D%5Bfirst_name%5D=Test
 &attendees%5B0%5D%5Blast_name%5D=Softwarb
 &attendees%5B0%5D%5Bbirth_month%5D=9
 &attendees%5B0%5D%5Bbirth_day%5D=16
 &attendees%5B0%5D%5Bbirth_year%5D=1997
 &attendees%5B0%5D%5Bemail%5D=test%40test.com
 &attendees%5B0%5D%5Bemail_confirm%5D=test%40test.com
 &attendees%5B0%5D%5Bcountry_code%5D=HK
 &attendees%5B0%5D%5Bphone%5D=88888888
 &agreement=on

It turns out my personal data is just being sent around the internet without any security. But Festground HK never claimed to protect this information, they claimed credit card transactions were encrypted. Time to enter my credit card details.

Only an $83 service fee for them to leak* my details, bargain. *cannot confirm this until I check Wireshark.

*confirmed, there are my details, ready for anyone to see. There is no encryption.

fgTranId=BKXCEM
 &_token=qTbqRHZgPus8ZNY2FzdESfThZr37azKH4lWZGjp7
 &card%5Bnumber%5D=1234123412341234
 &card%5Bcsc%5D=123
 &card%5Bexp_month%5D=9
 &card%5Bexp_year%5D=2017
 &card%5Bname%5D=Softwarb
 &buyer_email=test%40test.com
 &card%5Baddress_zip%5D=999077

Conclusion

Contradictory to their private policy, the following statement is false when using festgroundhk.com, “credit card transactions are enacted using 128-bit SSL encryption”.

I emailed Ultra, asking them to use a different ticketing agency. They did not respond. I thought it would be easy to use a different ticketing agency and protect your customers. But wait a minute, who is the ticketing website registered to? Kenneth Choi, who can be contacted at hackay@yahoo.com and jsroad@uckorea.co.kr. (He also didn’t respond to me). The second email address is an Ultra email address, Ultra Korea to be exact. So Ultra are using their own ticketing agency, which is why they won’t change. This means that Ultra are responsible for that lying private policy, therefore Ultra is lying to us.

Update

In my email to hongkong@roadtoultra.com, I told them about the security vulnerability and they kindly responded 5 days later (coincidentally, in the same 10 minutes as publishing this blog post) saying they had fixed the error. Well done Ultra. Let me just make sure. Fast forward to now, 5 hours after they emailed me saying it has been fixed, it is still not fixed. The security vulnerability is still there and customers’ personal and payment details are at risk. Not only have they not fixed the problem, they have also lied about it.

Leave a Comment

Your email address will not be published. Required fields are marked *