Hacking iWin

About ten years ago, around 2000, an online gaming company named iWin launched. The premise was simple: when you played their online games you earned iCoins, which you could then exchange for prizes. It was kind of like exchanging tickets at an arcade for prizes, except that you didn’t have to pay iWin to play and their prizes were excellent: MP3 players, VCRs, gift certificates, etc. The only downside was that as you played the games on their website, a large ad banner appeared below the game, which is how they made their money.

At the time I was working on AOL-Files.com, a community of hackers dedicated to finding and exploting holes in the America Online service. A large part of what we did was pick at and probe the AOL software, hoping to find a vulnerability which would enable us to do things we werent supposed to do. When iWin launched, it became a popular target for a lot of the community because of the prizes it offered.

Breaking iWin

The first thing we noticed was that iWin rewarded you for referring other people to their site. Whenever you signed up it asked you for the user name of whoever told you about the site and then that person got something like 25 iCoins automatically. iWin didn’t employ a CAPTCHA, so it was incredibly easy to automate the registration process. We created bots that would sit there for hours and create accounts, all using the same referrer, which was our legitimate account. We quickly earned a massive amount of iCoins this way. (Note that this would have been relatively easy to mitigate by adding a CAPTCHA or not rewarding the referral bonus until the new user had played a certain number of games, which couldn’t be automated).

Eventually someone discovered a far easier way to accumulate iCoins. There was a page on the site that required you to type in how much you spend on an item. So, for example, the page would show a product and it would say that it cost 2,500 iCoins. You’d type in 2,500 into a text box, hit submit, and the 2,500 would be deducted from your account balance. If your original balance was 10,000 iCoins, iWin would recalculate your balance like so:

10,000 - 2,500 = 7,500

Well, someone figured that iWin didn’t check to make sure you were using positive numbers so if you entered a negative number, iWin would still try to subtract it from your balance:

10,000 - -2,500 = 12,500

And just like that, people could add thousands of iCoins by simply entering a negative number into that form.

Later, someone else figured out a URL that you could go to which would let you specify how many iCoins you wanted to add to your account. With one click, you could go from 250 iCoins to 2,500,000,000 iCoins (though that would have been a bit suspicious).

Their security was so poor that you couldn’t help but feel bad for them. They had a winners page which listed all of the recent winners and what they had won. Some spammers figured out that if you signed up with an account name like:

<h1><a href="http://www.spam.com">Click here!</a></h1>

Then the winners page would display the link which implies that 1) the user name was not validated at the registration step and 2) it wasn’t escaped prior to display on the winners page.

As you can imagine, these exploits didn’t last very long. iWin quickly fixed most of the vulnerabilities that we had taken advantage of. They also switch to an auction-only system so that you could not purchase a prize directly with iCoins; instead you could use your iCoins to buy raffle tickets for an item, which made it a lot harder to beat.

At this point you might be wondering how iWin ever expected to make money off of their originally business model. I wondered that for a long time too.

Here’s what I think: iCoins were very hard to accumulate legitimately. The games didn’t reward many iCoins and you’d probably have to play hundreds of hours to earn enough to purchase a decent prize. Most people probably quit long before they ever earned enough to get anything. In the mean time, the users had spent a lot of time playing the games and viewing the ads. Someone probably calculated that something like 95% of the players would never earn enough to win a prize and for those that did, the amount iWin earned in ad revenue would far surpass the amount they had to pay out in prizes.

Final Thoughts

I was 14 at the time. Looking back, I’m proud that we were clever enough to figure out how to break iWin, but I’m not happy that we actually went through with it. What we did was equivalent to stealing from Best Buy because the locks were broken.

It may have seemed victimless at the time, but someone was losing money because of what we were doing. Just because you’re smart enough to do something doesn’t mean you should.

One thought on “Hacking iWin

  1. A few years ago I was working on a competition with a grand prize of several new SUVs (part of a product launch for the vehicle). We did a very basic version of the “riddler.com” model (remember them about 12-15 years ago?) where our partner websites would put ‘badges’ for gamers to click on. Each badge was worth some number of points.

    Some smart souls figured out that the badge numbers were somewhat sequenced (we had allocated up to 10 badges per partner, so we would start at ’10’ for instance and work our way up). Scripts were written that would hit our server each day and collect the maximum number of points available.

    The scripts weren’t that smart though, and there were gaps in the rewarding badges. Our ‘fix’ for this was to create new badges in the gaps that were worth massively negative numbers of points. In one day, the most problematic players vanished.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s