Ticketmaster, AXS “Non-Transferable” Tickets Cracked by Hackers

Ever bought tickets to an event and been frustrated about how they were locked to the Ticketmaster or AXS app, rather than an actual ticket? Apparently some technically-minded folks have felt the same way, and have successfully cracked the technology behind Ticketmaster’s “SafeTix” system as well as its AXS counterpart, allowing for tickets to be shared without permission from the ticketing platforms that had already sold them once.

“I recently purchased tickets to a concert from Ticketmaster,” reads a post by a coder who goes by “conduition” published in February about his project to reverse-engineer the mobile-locked ticketing system. “If they had issued me normal, printable PDF tickets I could save offline to my phone, this article never would’ve been penned. But of course this is 2024: Nothing we do online can be simple anymore.”

This, it should be noted, is not related to the other Ticketmaster hacking incident that has been in the news of late. In that incident, hackers gained unauthorized access to data sourced from the ticketing giant’s customers by breaching a third-party cloud provider.

FURTHER READING: Ticketmaster Hack

• Hackers Leak 30K Ticketmaster Barcodes. Share Tutorial for Counterfeit Tickets
• Ticketmaster Contradicts Report of Hacker Leak, Access to 440K Taylor Swift Tickets
• Ticketmaster Hack: Data of Half a Billion Users Up for Ransom

Rather, this crack is based on coders being able to sort out how the mobile-only ticketing systems worked in a way that allows for a variable barcode within the app to be validated by scanners at the venue. Since these systems allow for tickets to be saved to a user’s “wallet” on their mobile device, there had to be some sort of unique identifier within the ticket that does not change, which allowed the rest of the system to be figured out.

That this system had been cracked is not new information to those following the ticket sales industry in recent months. Even before the post explaining the reverse engineering process, TicketNews had noted social media posts from consumers curious about tickets sent as “wallet links” for events, and AXS filed a lawsuit in January of this year accusing several providers of such services of providing “counterfeit” tickets and violating their copyright.

While Ticketmaster claims that the automatic refreshing barcode leads to tickets that “cannot be stolen or copied” for security reasons, such systems have also formed the backbone of event operator and promoter efforts to harvest massive amounts of user data as well as make it harder for consumers to use, transfer, or resell tickets they’ve bought as they see fit.

As Conduition pointed out in his reasoning for engaging the project that led to his crack of the system:

It’s pretty clear why TicketMaster is pushing this technology:

• SafeTix makes it harder for people to resell tickets outside of TicketMaster’s closed, high-margin ticket-resale marketplace, where they make a boatload of money by buying low and selling high to customers with no alternative.
• It pushes users to install TicketMaster’s proprietary closed-source app, which gives TicketMaster more insight into their users’ devices and behavior.
• People can’t save and transfer tickets outside of Ticketmaster. This forces ticketholders to surrender their friends’ contact information to TicketMaster, who can use this data to build social graphs, or conduct other privacy-invasive practices.

TicketMaster will never admit to these motivations, but it cannot be doubted that these effects have manifested regardless of TicketMaster’s intent, and they’re all good news for TicketMaster’s shareholders, if not for their customers.

Consumer advocates have long argued that the shift to such technology is harmful to consumers. Laws have been passed in several states making the forced use of such systems without either consumer choice on the format tickets are delivered, or a requirement that ticket transfer and resale be allowed to take place without restriction to date, though efforts to pass such legislation at the federal level have seen considerable pushback from companies like Live Nation Entertainment and allies of mega-managers like Irving Azoff – dismissing the industry-side argument that these restrictive systems are necessary to combat “scalping” of tickets.

“Prohibiting ticket transferability as a way to prevent scalping is a cure worse than the disease,” wrote John Breyault of the National Consumers League in an Op-Ed published by The Hill in support of the BOSS and SWIFT Act. “Fans often have to buy tickets for shows months in advance. Unexpected events can prevent someone from attending the show. Forcing consumers to eat the cost of those tickets is patently unfair. By protecting ticket transferability, the BOSS Act will make sure consumers can sell or give away their tickets when life inevitably intervenes and they can’t attend an event. It will also prevent Ticketmaster from introducing anti-competitive restricted-transfer tickets, which prevent resale on any exchange where Ticketmaster can’t control the prices and set the rules.”

Currently, it appears that the primary access to the crack of these mobile-only systems is limited to ticket resale operations, which have obvious financial incentives to pay for the development of such a workaround for a system that was designed largely with the elimination of competition from independent ticket resale marketplaces in mind by Ticketmaster and other operations like AXS which followed suit. This was detailed exhaustively in a recent story by 404 Media exploring the breaking of the “non-transferable” system.

But, as Conduition points out, it is not technically difficult for others to follow the same path he did to the core of how the system works and reverse engineer their own solution.

“I have actually heard of [other cracks of the locked ticketing ecosystem] before,” he told 404 Media. “After publishing my article on TicketMaster, I’ve been cold-emailed 5-10 times with contracting offers, asking me to build similar ticket sharing systems. One person asked me to exactly duplicate [one of the alleged websites]—not just the UI layout, but pixel-for-pixel duplication, plus the cryptography needed to generate valid barcodes from a ticket secret,” Conduition said. “I suspect that these ticket sharing websites are making real attempts to allow ticket sharing (albeit against the monopolistic wishes of AXS/TM).”

Neither Ticketmaster nor AXS have commented publicly on the breaking of their mobile-only app systems, but there have been several instances of venues turning away consumers with valid tickets at the gate, simply because the tickets were shared with the end-user outside of the Ticketmaster or AXS application using one of these cracked services. It is unclear whether or not either company will go back to the technical drawing board to develop a new walled garden approach, or if they will rely on their legal teams to try to put the genie back in the bottle for them.