[windows2000] Re: OT: For those of you who are iTunes Fans
- From: "Sullivan, Glenn" <GSullivan@xxxxxxxxxxxxxx>
- To: "'windows2000@xxxxxxxxxxxxx'" <windows2000@xxxxxxxxxxxxx>
- Date: Fri, 20 Feb 2004 11:10:35 -0500
Courtesy of Bob Free from the NT SysAdmin list.....
Pepsi Bottlecap Liner Labeling Information Leak Vulnerability
Advisory Location:
http://dragos.com/pepsi.txt
Release date:
February 18, 2004
Severity:
Pink (Free Music Downloads)
Systems Affected:
Diet Pepsi - 20 FL OZ Bottle (with "1 in 3 Wins a FREE Song" label)
Pepsi - 20 FL OZ Bottle (with "1 in 3 Wins a FREE Song" label)
Sierra Mist - 20 FL OZ Bottle (with "1 in 3 Wins a FREE Song" label)
Description:
During the Super Bowl, Apple and Pepsi co-launched an Ad campain giving
away
100 Million songs via Apple's iTunes Music Store. Because of a
vulnerability
in the notification of the give-away, attackers can guarentee a free
song in
any Pepsi purchase. Pepsi uses an industry standard known as "bottlecap
liner
labeling", where the vendor includes notification of fun and prizes.
This
method of notification is vulnerable to a pre-purchase notification
weakness,
allowing attackers to limit their purchase to products that are known to
be
"winners" in the give-away.
Technical Description:
An attacker capable of obtaining physical access to a bottle prior to
purchase
may create a non-uniform probability distribution leading to predictable
outcome. By causing the bottle to be inclined at a specific
declination, the
attacker may gain partial visibility into result variable thereby
bypassing
the natural selection process.
This attack is not new. Prior soft drink distribution versions have
been
vulnerable to this attack in the past. Known vulnerable versions have
included
the Mountain Dew "Free Soda" give-aways.
Protection:
Vendors should put all Pepsi 20 OZ bottles in a vending machine, which
should
mitigate this attack by not allowing physical access before the attacker
purchases the product.
ISS users can add the following TRONS rule to detect this attack:
alert bottle any any -> any any (msg:"pepsi attack"; tilt:>15;
classtype:information-leak; priority:pink;)
This rule may be used to identify downloads of known exploits:
alert tcp any 80 -> any any (msg:"Pepsi exploit download";
content:"pepsi"; nocase; content:"tilt"; nocase;
classification:exploit-download-attempt;)
Vendor Status:
The vendor has not been notified.
Exploit:
Exploits have been observed in the wild and are presumed to be in common
use.
A proof-of-concept exploit is available at:
http://www.macmerc.com/news/archives/1270
Contributors:
Ereet Hagiwara
Brian Caswell
Dragos Ruiu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
*** This Month Sponsored By: Network Security Inspector ***
*** http://www.sunbelt-software.com/product.cfm?id=987 ***
http://www.sunbelt-software.com/win-security_list_charter.htm
Glenn Sullivan, MCSE+I MCDBA
David Clark Company Inc.
-----Original Message-----
From: Greg Reese [mailto:GReese@xxxxxxxxxxxxxxxx]
Sent: Friday, February 20, 2004 10:26 AM
To: thin@xxxxxxxxxxxxx; windows2000@xxxxxxxxxxxxx
Subject: [windows2000] OT: For those of you who are iTunes Fans
Saw this on cnn.com and thought some of you may find if interesting.
Enjoy!
Greg
From Cnn.com:
http://www.cnn.com/2004/TECH/internet/02/19/pepsi.itunes.promotion/index.htm
l
Site posts low-tech hack for iTunes giveaway
By Paulo Nogueira
CNN
(CNN) --Sharp eyes and a bit of patience paid off Thursday for iTunes fans
who figured out a way to "hack" the popular music download service's Pepsi
promotion.
Jon Gales, who runs Macintosh-user site MacMerc.com, posted instructions
this week on how to look into sealed Pepsi bottles and figure out which ones
carry winning iTunes codes in their caps.
"With luck, you should be able to see under the cap," said Gales, 19, a
college student who discovered the trick by chance. "It takes a few minutes
to get used to the angle... and you may have to twist the bottle."
Apple Computer's iTunes service is giving away 100 million songs, a
promotion that was launched with splashy Super Bowl TV ads featuring people
sued for illegally sharing music online. One in three bottles is a winner,
according to the rules. And the 10-digit code on a winning cap can be used
to download a free song on iTunes.com.
But when Gales discovered that by tilting the bottles he could beat the
system, he was eager to share the trick. News of his Web site's
illustrations and step-by-step instructions spread quickly on the Internet,
which prompted his domain to crash briefly from the onslaught of visitors.
"I was surprised the kind of traffic and the responses that it got," Gales
said Thursday from his home in Tampa, Florida. "We were getting 30 hits a
second and the database couldn't keep up."
It takes a bit of squinting and some persistence, but Gales' suggestions
work. Those who see the word "again" after tilting the bottle have a losing
cap. But random letters and numbers means you have a winner.
Pepsi-Cola spokesman Dave DeCecco said he wasn't aware of the trick until a
reporter called him.
"We always put redemption limits for promotions like these," he said. "But
we've found that most consumers play by the rules."
Apple's iTunes store, the most popular online music retailer, offers more
than 500,000 songs for 99 cents each. Pepsi promotion winners can claim up
to 10 songs per day and 200 tunes total during the giveaway, which ends
March 31. But "you can sign up for another account," Gales said.
********************************************************
This Weeks Sponsor StressedPuppy.com Games
Feeling stressed out? Check out our games to
relieve your stress.
http://www.StressedPuppy.com
********************************************************
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/win2000list.cfm
Other related posts:
