Grey bar Blue bar
Share this:

Tue, 13 Sep 2011

Hacking Online Auctions - UnCon && ITWeb talk

I gave an updated version of my 'Hacking Online Auctions' talk at UnCon in London last week. The talk gave a brief intro to general auction theory, and how the models can be applied online, but the main focus was on 'penny auction' websites. What are those all about then? Well, during my Masters last year I took a course on Internet Economics, and one of the modules involved auction theory. It was a really interesting module, and I did a bit of my own research on the side, whereby I stumbled across various penny auction sites. The sites (who pretend to be akin to eBay or the likes) go a little something like this:

1) Loads of high demand products up for auction (e.g. iPhones, cars, TVs, cameras, etc). 2) All auctions start from some predetermined countdown, usually around 5-9 hours, and tick down one second at a time. 3) All auctions start with an opening price of £0.01 (or R0.01 etc). Each bid placed increases the price by one penny/cent. 3) When the timer hits zero and no-one places a bid, the auction ends and the last bidder wins. He pays the price that the item climbed to.

If you check out some of these websites, you'll notice that items seem to sell for ridiculously low prices - e.g. an iPhone 4 for £30, an Audi A1 for £300. The sites also, of course, include various 'winner galleries', showcasing happy winners with their dirt-cheap fancy kit. It all seems too good to be true, and the sites lure in loads of sucke^Wplayers.

Alas, there are two big caveats which are not mentioned early on:

1) You have to purchase your bids in advance - for anything from £0.20 to £0.50 each. 2) If someone places a bid when the countdown timer is under 30 seconds, the timer gets reset to 30 seconds, indefinitely.

So, after I realised the slightly dodgy premise of these businesses, I decided to do some deeper investigation. I identified a few of the biggest / most popular penny auctions websites, decoded their server <--> browser protocol, and made my own simple client to query auctions over time. Over a period of 90 days I observed some 30,000 auctions, involving over 2,000,000 individual bids from around 20,000 unique players. All of this was pumped into a nice MySQL db, allowing us to dig through the data and pull out some interesting stats, and devise some cunning methods to 'game the system'.

Tue, 12 Jun 2007

Second Life land grab case moves into U.S federal courts..

Ars Technica is reporting on the law suit filed in 2006 by Martin Bragg who accused Linden labs of wrongfully seizing his virtual land.

-snip-

Linden Lab filed two motions to dismiss the suit, arguing that Bragg came into possession of his land wrongfully, but the Pennsylvania judge denied those motions.

-snip-

A few things about this are super interesting..

  • Linden Labs (creators of Second Life) literally sells online assets for real world money..
  • Martin Bragg (from accounts read) found that by simply adjusting his HTTP GET parameters was able to bid on not yet opened auctions.(1)
  • Bragg apparently invested thousands planning to buy low and sell high
We have just started to consider the attack possibilities and where this is going but again, i suspect fun times are ahead (2)..

/mh

(1) A public facing web-app that deals with real money, that is vulnerable to an 80's style parameter passing attack? tsk.. tsk.. (someone needs to have their web-apps audited!)

(2) i have not yet checked out Hoglund's new book [Exploiting Online Games: Cheating Massively distributed Systems] but suspect ill take a look soon..