Hackers bypass Ticketmaster’s barcode system to enable resales on other platforms

Scalpers have discovered a way to bypass the “nontransferable” digital tickets from Ticketmaster and AXS, allowing these tickets to be resold on other platforms. This revelation came from a lawsuit filed by AXS in May against third-party brokers using this method. 404 Media first reported the news.

The beginning of the saga

In February, an anonymous security researcher, Conduition, published technical details on how Ticketmaster generates its electronic tickets. If you’re unaware, Ticketmaster and AXS restrict ticket resales within their platforms, preventing transfers to third-party services like SeatGeek and StubHub. They even stop transfers to other accounts on the same platform for high-demand events.

While the companies claim this is a security measure, they control the resale process entirely. Ticketmaster and AXS create their “nontransferable” tickets with rotating barcodes that change every few seconds, preventing screenshots or printouts from working. This technology is similar to two-factor authentication apps. The barcodes are generated shortly before the event starts, limiting the time they can be shared outside of the apps. This setup locks buyers into the platforms’ resale services, giving Ticketmaster and AXS control over ticketing.

The hackers’ workaround

Hackers have now found a way to bypass this system. Using Conduition’s published findings, they extracted the secret tokens that generate new tickets. They achieved this by using an Android phone with its Chrome browser connected to Chrome DevTools on a desktop PC. They created a parallel ticketing system with these tokens that generates genuine barcodes on other platforms. This allows them to sell working tickets on platforms not approved by Ticketmaster and AXS. Reports indicate that these parallel tickets often work at the event gates.

404 Media reports that AXS’ lawsuit accuses the defendants of selling “counterfeit” tickets, even though they usually work, to “unsuspecting customers.” The lawsuit describes the parallel tickets as being created by mimicking or copying tickets from the AXS platform.

AXS claims it doesn’t know how the hackers are managing this. The possibility of effectively jailbreaking Ticketmaster has proven so lucrative that several brokers have tried to hire Conduition to build ticket-generating systems. Some services already using the researcher’s findings include Secure. Tickets, Amosa App, Virtual Barcode Distribution, and Verified-Ticket.com.

The bigger picture

404 Media’s report provides a detailed look into the technical aspects of what Ticketmaster and AXS are doing to keep their ecosystems under control. Conduition’s findings reveal these companies’ measures to prevent ticket transfers and maintain their monopoly over the resale market.

This situation highlights the ongoing battle between consumers looking for flexibility and companies aiming to retain control over their products. As hackers continue to find ways around these restrictions, it remains to be seen how Ticketmaster and AXS will respond to protect their systems and maintain their business models.