Ultra Hong Kong: massive security flaw revealed

Imagine writing you credit card details on the side of a bus. Now write your full name, email address, phone number and date of birth on that bus. Would you allow someone to drive that bus up and down every road in Hong Kong? Maybe no one reads the side of the bus and maybe no one cares, but there is a chance that someone will, and by purchasing a Road to Ultra: Hong Kong (Ultra HK) ticket, there is a chance that someone with bad intentions will see all of that information.

試想像把您的信用卡資料寫在一架巴士上, 您的名字﹑ 電郵﹑ 住址﹑ 出生日期等等之個人資料都寫上那輛巴士上。您會容許他人在香港每一條道路上駕駛它嗎? 也許沒有人會去看,沒有人會去關心那些資料,但是別人看到的機會總是存在的。購買最大型電子音樂會Road To Ultra Hong Kong (Ultra HK) 門票就有機會讓一些有意圖的人看到所有的資料。

If you want to go to Ultra HK, you need to purchase a ticket at http://www.festgroundhk.com. Notice that the url starts with http, not https. This means that the website is not secure. The website is sending your data across the internet without any encryption. If someone is looking at the information being sent on your network, they can read your personal information and card details. This was proved in this post.

如果您想參與 Ultra HK,您將需要在http://www.festgroundhk.com 購買門票。但請留意這個網址的開頭是 http 而不是 https。這意味著該網站並不安全。這個網站會在沒有加密的情況下把您的資料通過互聯網來傳送。假如有人正在查看您於網上發送的信息,他們便可以閱讀您的個人資料。按這裡可以証明這一點。

It’s not just people on your network that could see your details either. Your credit card details do not go directly from your computer to FestgroundHK servers, they go through more than 10 different networks. This means that if anyone is looking at data on any of those networks, they can see your details. You can use one of the following commands to see the path your information will take on the way to FestgroundHK servers (IP:

不只是在您電腦網絡上的人可以閱讀您的資料,在其他電腦網絡上的人也可以閱讀到。您的信用卡資料並不是直接發送到 FestgroundHK 伺服器,它們會透過多於十個其他不同的電腦網絡來傳送。所以假如有人正在瀏覽任何這些網絡上的數據,他們都可以閱讀到您的資料。您可以利用以下的方法去查看您的資料在到達 FestgroundHK servers (IP: 前的路徑。

Mac / Linux Terminal: traceroute
Windows Command Line: tracert

Almost half of the world use the internet, which means over 3,500,000,000 people have the potential to see your data and it would be very naive to think that no one is looking. It’s probably safer to write your details on the side of a bus. This website is so unsecure that you web browser will tell you not to enter credit card information. (The image below shows a message from Chrome)


Perhaps more worrying is Ultra’s attitude towards the problem. Not securing the website may have been a mistake, a very serious mistake, but they don’t seem to care. The website, which is registered to someone with an Ultra email address, has a privacy policy that lies about its security. When I contacted Ultra about the massive security flaw, they told me it was fixed, but it’s not. They lied. FestgroundHK did not reply.

也許更令人擔憂的是 Ultra 對這個問題的態度。不保證網站是否安全是一個極大的錯誤, 但他們似乎不太在乎。這個網站是由一個 Ultra 的電郵地址所登記的,其隱私政策中安全性的部分根本不實。當本人聯繫 Ultra 關於這個大規模的安全漏洞時,他們的回應是已經解決問題,但事實上卻沒有。 而FestgroundHK 並沒有回覆。

Ultra do not care and they are probably cost cutting, but their cost cutting is going to end up costing you a lot more that the price of a ticket. If someone gets hold of your card details they could empty your bank account or max out your credit limit. It’s safe to assume they are breaking some data protection laws too.

Ultra 根本沒有在乎該網站的安全性,他們極有可能在削減成本。假如他們在削減成本,最終只會令您付出比票價更高的代價。因為如果有人掌握了您的信用卡資料,他們可能會清空您的銀行帳戶,或者最大限度地提高您的信用額。他們有可能違反了保護數據資料的法律。

I urge everyone to stop buying tickets until they fix this problem, otherwise you are putting yourself at unnecessary risk. For those that have already purchased tickets, check your bank account to make sure every purchase on your card was made by you and contact your bank to let them know that you used your card on unsecure website, so they can monitor suspicious activity more closely.


Everyone should contact Ultra and FestgroundHK. They will only fix this problem if they are pressured. Email them everyday. Bombard their social media accounts. What they are doing is unacceptable.

每個人都應該聯繫 Ultra 和 FestgroundHK。他們只會在壓力下才解決這個問題。每天給他們發電郵,轟炸他們的社交媒體帳號。因為網絡交易的安全性是中十分重要的,絕對不能接受他們的處理方法。

On the home page of the ticketing website it says: “Be Responsible. Think For Yourself And Care For Others.” You should do exactly that. Do not use purchase tickets until the website is fully secured and warn your friends.

在票務網站的主頁上,它說:「要負責任。為自己及他人著想。」您絕對需要這樣做。在該網站完全安全之前,絕對不要做出任何交易。保障自己, 也記得警剔身邊的朋友。

Translated by Winco Tang.

Leave a Comment

Your email address will not be published. Required fields are marked *