 Hello and welcome to the R3S stage on the internet. Let's speak a bit about the talk that we are going to watch. It's about unwinnable prices on the internet and you have seen it on different websites where you can spin something and you can win something very interesting like magnetic monopoles or something like that and we will learn if that's possible, if you can win something and if you can win something how you can do that with that passing over to Robert. Yes thank you very much so yeah my name is Roland Mierthens. You can ask me any questions on my email and yeah my talk will be about unwinnable prices on the internet so sometimes you find websites who indeed promise you prices and you can't win them that's maybe already a bit of a spoiler but the way in which you cannot win them was a bit surprising to me so and I think it makes a funny story so hence this talk so I want to go over how in what way you cannot win these prices I'm going to go a bit over how you can discover this how I discovered it and how you can discover this for yourself and last but not least I'm going to talk a bit about what can you do when you discover such a website what can you do about it or against it so yeah first maybe how it started at some point I was having a call with a friend and she clicked on some Facebook link to a website where you could buy edible cookie dough which you don't even have to bake you just eat it directly and when you came to this website it's basically there was some pop-up which said click here to win a prize and when you clicked it it said spin the wheel leave your email and you can can win one free kilo of cookie dough yeah amazing right who doesn't want to win this and not only could you win this free kilo of cookie dough I took a screenshot of the spinner you saw there and that's that's on the slide you could also make your own taste of cookie dough in their kitchen amazing I love cooking I would love to make this my own taste in their kitchen you could win a discount of 50% that's quite a lot of discount you could win a kilo of cake batter that sounds like a great price you could also win 5% of discount which you can also see there but after you spawn it after you spin this spinner or after I left my email or let's first start with after my friend left her email they said no luck so she didn't win anything so that was that was bad especially since they are one two three four five there's like ten ten places the spinner can up in apparently there was one which said no luck then I entered my email and again the spinner spun and it ended at same square no luck well that's that could be unlucky of course but then I started wondering what is actually the probability of winning a prize here or maybe to put it more clearly I think the question is what does this website pay you in return for them giving you your email address because normally I would have never left it so first I said tempted to look at my network traffic so I thought probably when I submit my email address to his website they send it to some server who then of course registers is and adds it to some database where they from which they spend me their new flavors or something so I started postman started monitoring my traffic and at first I was a bit surprised because the server didn't reply with that I won or didn't win which basically means that order logic is actually in the browser so I think everybody knows that if you want to see what a website is doing you can look at their JavaScript and at their HTML code so of course I open the inspect search source page in Chrome and one thing which I noticed a lot of people don't know is that you can also edit code if you right-click on a file in Chrome you can save it for overrides and the logic for the spinner was indeed in the browser everything was handled for what you can win and what your probabilities are was indeed had note in my browser so of course that's fun that means you can modify that their JavaScript so I found this function in it which had a load JSON thing and there I added some code which you can see on screen it's not really interesting but what I basically did is I took all of their prices you can win in the spinner and I locked the probability and so that's how I could find the true probability of this website in this case there was a 95% probability of not winning a price I thought that was bigger than than the spinner showed me there was a 5% chance of a 5% discount it's not such a high discount but there was you could at least win it there was a 10% chance of a 10% or sorry a 1% chance of a 10% discount but everything else like the free kilo of cookie dough the 50% discount the free cake better making your own taste in their kitchen of course there was a 0% chance of winning it so yeah I thought it was a bit lame so yeah the conclusion of the first part of the talk is of course you can't win any of these interesting prices on this website but yeah that's not the end because we could modify the JavaScript right so first of all I thought that only 5% chance of winning this 5% discount discount was a bit low so you can of course change that and that way I could always win win this 5% discount so cool but then I thought oh well that means of course I can also win this best price this free kilo of cookie dough right that said by default it said not win is false but I can change to true I can set the probability to a lot and the result was an error so it looks like this website didn't even code the logic for winning these interesting prices so that's that's not very nice so yeah of course now I concluded this for one website but I was wondering do more websites use this practice so it turns out this particular website was using Shopify and in Shopify you can have a lot of plugins so in this case this website decided to install the spin a seal plugin and if you go to this plugin Shopify you see that's very popular it's got a lot of positive reviews and a lot of people gave it five stars because it really increases the amount of people that sign up on websites to get their spam and if you look at the reviews that's also a lot of written reviews and then sometimes owners left their email or their website domain so I found way more of these places where you could win interesting things from barbecues to rodeo equipment to I don't know what but a lot of these websites were basically promising big prices which you couldn't really win so yeah there's one by the way there's maybe one website which I did really like there was this website which also made some prices unwinnable but they basically set the probability for winning nothing to zero and they always made sure that you won a reasonable amount of discount so I thought that's that's also fun but yeah the amount the sort of probabilities you see here don't really correspond to the actual probabilities you have in the app so that maybe it brings me to the last question is this ethical or legal and what can we do about it so if you go back so I had many discussions with friends about what did you think about this when I discovered this I think that most people were kind of amazed that when they see something like this they didn't really expect that the the probabilities you see on this spinner are exactly the probabilities you get so I think that most people didn't expect you to have a 10% chance of winning a lot of cookie dough but I think that people didn't expect the actual spinner to look like this on the screen so I think that most people expected you to have a bit of a fairer chance to win anything so yeah I give my email in return for a fair chance to win specific prices that's the reason I set up but the shop owners of course don't keep up their end of the deal and they only give me a very small chance of a discount and a very big chance of having no price so yeah I think that at least the conversation I had with my friends a lot of people are not surprised that the probabilities are not correct but people are surprised that they are so incorrect and you cannot win those prices so what I did is I emailed the owners of the website so I'm going to paraphrase it and not show the actual emails but I said hey I can't really win any of these big prices I figured it out and the first reply I got was oh let me ask the website builder I'm mostly making tasty things he he the he he was actually actual in the actually in the email so that's why I'm adding it here but that made me a bit sour I thought yeah I mean you're obviously not keeping your end of the deal when I sign up with my email so I asked them two more times to change it and later they said oh we changed it and I looked at their website again and they didn't really change it later they did change it a bit but they kept some interesting prices like making your own taste in their kitchen so they as you can see here they did replace a lot of things with just oh you get a discount I think they gave you a way bigger chance to win this 3% discount so at least people always got something but they still include some prices which are which are not actually winnable but yeah that maybe brings me to the to the part of is there a law against against lying on the internet you would of course say probably not but I discovered that there's this authority for consumers and markets this was a Dutch website by the way so I'm only quoting the Dutch authority of consumers and markets the auto-retired consumer and markets in the Netherlands and I actually actually reached out to them and they seem to be quite quite happy with messages I send them so to again paraphrase them they said in Dutch but translated in case a seller has an action in which some prices can't be won this apparently can be seen as an unfair commercial practice and apparently the authority of consumers and markets in the Netherlands does try to monitor compliance with this legislation I also asked them what they can do about it so if I go to them and I say hey these these websites are having this unfair commercial practice what can you do about it and they said oh yeah please please reach out to us and besides contacting the firm and asking for a commitment they can apparently give companies a fine if they refuse to change their way of working so that's that's at least one thing you can do if you find practices like this on the Internet yeah and as I said when I talked to them they seem to be quite eager to actually do something about it which I was amazed by I didn't really expect anyone to care about this except for me who founded a really funny story so yeah the conclusions are basically no you cannot win any of these interesting prices on these and other websites I checked we also learned that you can save your JavaScript locally so you can discover this we discovered that you can find a lot of websites which use this plugin and if you ever find unfair commercial practices like unbearable prices on the Internet you can report such sites at the auto retight Continent and marked in the Netherlands so yeah that's it for my talk if you want to reach out to me I don't know how smart it is to at the end of this talk give my real email but you can email me at rolandmiertsejimo.com my github as Ermertens and I think I'm mostly active on LinkedIn or Twitter so add me there and follow me there yeah that's it I'm kind of suspecting that someone like walks on stage now cool sorry this one caught me off guard I was expecting it for too long to last take a bit longer let me see if there are any questions so far none so none so far but hopefully some people remember you can put them in the Twitter in the twitters and the in the master of this world and also on the in the in the IRC in the in hack and channels R3S or RC3 so I do have one question did you in this whole endeavor stumble upon a website that did things fairly like do you have that I mean honestly I was kind of expecting that it is a scam that this is this my expectation I was surprised that you could actually win anything and the thing is other legitimate websites who do that who implement this spinning wheel fairly yeah so as I said I think that I I also didn't expect the wheel to have the exact probabilities which are there but already there I think when I talk about this with friends a lot of them say oh I I they were already amazed that these probabilities are not the same I think you have to kind of see it as if I would stand on the streets with with the actual wheel and I would say hey do you want to win a kilo of cookie dough and you you don't see this on the wheel you would of course never leave your email and it would be weird what I what I did like is this one website of which I gave an example which set the probability of no price to zero and made sure that you always won or the biggest chance you had there was winning a 20 percent discount on their rodeo equipment that was and they also had a small chance of winning 25 percent with but then you had to order for at least $300 or something so I think that's fair but yeah a lot of the so the discounts seem to be quite like given generously because I think that encourages you to buy more yeah yeah but the the things like free free stuff that that just seems to be not winnable okay oh sadly I put my phone away for a second and like 500 questions not 500 but three so what tooling would you recommend to reverse engineer clients on JavaScript especially if it's minified or obfuscated oh yeah if you have something which is minified or obfuscated that will take you a long time that's really hard I actually think that there's one other spinner for Shopify which does obfuscates their their code so of course I started looking this is more when I was preparing the stock there was this other spinner which obfuscates it and I didn't even get started there I think what's at least relatively easy is doing this postman thing so inspecting what goes to the server and comes back so in these packages the the data is normally quite quite okay but indeed as soon as it enters your browser and it gets parsed by something obfuscated you you don't stand a chance or at least if you don't have a big thing to gain I wouldn't I wouldn't take any of this effort anymore I know there are the obfuscators but I'm not sure how well they work but yeah I think it's yeah again if you if you really start looking into it normally if you have something like a the obfuscator it's the thing I normally look for is function names which makes sense like in this case I was quite lucky that there was this function code in it which has a had a partition part so then it's easy to figure out immediately okay here is where the data comes in and I can start to inspect this but as soon as you don't know what any of the functions do it's harder one one other maybe tip which I sometimes use is changing functions and see what goes wrong on the page so if you have a function you can maybe just remove the code and or remove this function and see where it crashes or where it goes wrong that can also say something about what did I just break what did I it's a bit of a trying to figure things out by breaking part and seeing what happens but that's that's at least something which which sometimes can help you mm-hmm yeah okay that's yeah so basically approach JavaScript like you would any other any other decompiled binary thing yeah yeah it's basically one big puzzle and so if you if you are bored during lockdown there you go so there oh they're growing the questions that's nice was it possible to modify a website in a way to pretend to have won the big price yeah so what I did is so what I did in terms of so I didn't even have to pretend because I could just change the probabilities so the spinner would always come at the place I would wanted to come mm-hmm and this is this is my point about this gave an error just the spinner would stop mm-hmm and nothing would happen so the logic for handling these events was simply not coded yeah so there was no there was no kind of interaction programmed for these kind of cases yeah the question I think what they what they are going for please correct me if I'm wrong on the internet I'm never wrong on the internet people shouldn't lie on the internet yeah that's for sure no they if it would be possible to not not get the error code and pretend yeah you won like the the one kilogram of free cookie dough I presume yes it would be possible to to design something that looks like the official thing or yeah I mean one one thing I was considering when I sent him an email I was basically considering two things one is just be direct and say hey look you're you're doing this unfair thing or I was also considering maybe can you send him an email and say hey look the spinner ended at at a big price but nothing happened can I still get it yeah so basically try to use some social engineering to try to get this price anyways and see how they would respond if they would just directly tell me with all you can't win this is something wrong yeah and yeah what about those websites claiming you are the one millionth visitor you won a fruity phone how how does the cold look there oh I haven't looked at those but I don't assume there's any logic encoded there so the the reason I found this interesting is that the things which would give you something would actually so give you something so I could order my cookie dough with 10% discount if I wanted to eat cookie dough but I think that you are the one millionth winner just just sent your email directly to a Nigerian prince and nothing else happens so yeah I don't think there's any any logic behind that but but then you can win an inheritance of 10 million pounds right I mean he he told me it will be there any day and the last question which is my favorite so far whoever submit the question you you want the internet what would you do if you would win a huge amount of cookie dough on the internet oh man I I would distribute to all my friends I it would actually be quite cool to to come here next year and give another talk and then bring a lot of cookie dough so if the owners of this website are watching and want to sponsor this event I'm open contact me you have you already have my email because I'm the weird person who who sent you an email so also they could have they could have been fans submitted some cookie and sent you some cookie dough for the backbone the bug bounty program or something like that yeah and I have to correct you on that part I hope next year we'll be back in Leipzig but let's see whether that goes yeah for the for the bounty for the bug bounty thing I I'm still kind of wondering like I'm still kind of thinking that they they of course knew this right they of course knew they that they said this probability is zero so yeah I'm also still kind of if people still want to have a discussion online it's still interesting to ask yourself what would you have done so if you have access to a plugin like this would you would you submit would you add unminimum prizes or not that's maybe a bit of an ethical question for yourself to think about and yeah nonetheless thank you very much for for the talk it was very interesting and I'm sure you will be around this RC3 world or yeah I'm now going to drive home but I can maybe quickly check if there's people who want to have a jitzy call or something or want to discuss something I can quickly take a look at what's kind of messages there are I mean they can show drop your email or something that yeah again you can you can reach me at my email it's on screen again I don't know how smart it is please please don't spam I think that's too late yeah but yeah thank you very much and have a safe trip home