In a stunning revelation, hackers have reverse-engineered Ticketmaster and AXS’s “nontransferable” digital ticketing system, enabling ticket transfers on third-party platforms. This breakthrough, initially reported by 404 Media, threatens to upend the controlled resale market.
The breach surfaced in February when an anonymous security researcher, known as Conduition, published details on how Ticketmaster’s electronic ticketing system operates. Ticketmaster and AXS traditionally lock ticket resales within their platforms, blocking transfers on services like SeatGeek and StubHub. For major events, they even prevent transfers between accounts on the same platform, ensuring they control the resale process entirely.
Ticketmaster and AXS employ rotating barcodes that change every few seconds, akin to two-factor authentication codes. This mechanism prevents static screenshots or printouts from being valid, as the codes are only generated just before events commence. This ensures tickets can’t be shared outside their apps, maintaining their monopoly over the ticketing ecosystem.
Hackers Create Parallel Ticketing Infrastructure
Hackers exploited Conduition’s findings, extracting the platforms’ secret tokens that generate new tickets. By using an Android phone connected to Chrome DevTools on a desktop PC, they created a parallel ticketing infrastructure. This allows them to regenerate genuine barcodes on unauthorized platforms, effectively enabling the sale of tickets on platforms not approved by Ticketmaster and AXS.
AXS responded with a lawsuit in May, targeting third-party brokers using this technique. The lawsuit, as reported by 404 Media, claims the brokers sold “counterfeit” tickets, even though these tickets often worked at the gates. Court documents describe these parallel tickets as “created, in whole or in part by one or more of the Defendants illicitly accessing and then mimicking, emulating, or copying tickets from the AXS Platform.”
Despite the lawsuit, AXS admits it does not fully understand how the hackers achieved this breach. The lucrative potential of bypassing Ticketmaster’s system has led several brokers to reportedly seek Conduition’s assistance in developing their own parallel ticket-generating platforms. Some of these services operate under names like Secure.Tickets, Amosa App, Virtual Barcode Distribution, and Verified-Ticket.com.
This development poses a significant challenge to Ticketmaster and AXS’s grip on the ticketing market, raising questions about the security of digital ticketing systems and the future of ticket resale platforms.
{{user}} {{datetime}}
{{text}}