A little story from the archives about voucher codes, football, and free pints of alcohol.

In late 2016, when out drinking with some friends in a busy London pub, we were handed coupons each valid for "one free pint". The terms were simple enough: only redeemable during the afternoon/evening of a televised Premier League football match (so, basically all the time), and the person redeeming must be at least 18 years old.

There was also a typical verification component which involved creating an account online, inputting the unique number on the coupon, and receiving a QR code for the bar staff to physically confirm and scan.

A fairly reasonable way to set up a marketing campaign, creating a mandatory online element to stop people from just cloning the basic coupon design and handing them out to their friends, plus driving web traffic through to other offers. This particular pub was part of a very large chain which boasts quite a significant number of venues across the UK. The coupons were valid nationwide and the whole thing was clearly designed as a way to acquire more sales during peak football season and tempt patrons away from a specific competitor which ran their own football-related offers. However, it quickly became clear that this promotion had some amusing flaws. We start with the random codes on each coupon. Turns out they were hilariously far from being random. The first coupon's sequence was "1470000000341029". Now, a sea of zeroes in the middle like that already suggests something's not being generated in a respectable manner. After a nice pint was successfully redeemed and consumed, the bar staff were handing out more coupons, so we grabbed a few more and immediately clocked the situation: all of the codes began with "1470000000" and ended with six random digits. This meant exactly one million total free pints were redeemable across the country from codes ending 000000 to 999999.

Obviously at this point a few rounds of... user testing... was required to verifiably confirm the problem before disclosing it to the pub chain. A new email address was spun up and a new profile was authenticated using a code with a random ending. Success occurred - a fresh QR code generated and scanned without error.

More free liquid arrived, and it was confirmed through the scientific process of consumption that it was indeed booze and that the offer was consistently upheld.

But Wait, It Gets Less Secure

While this is only a trivial and quite comedic little vulnerability, it's always a good mental exercise to see just how effectively bugs could be exploited at scale. So analysis into efficient acquisition of free pints began by looking at the profile creation process.

You'd think this would present a potential bottleneck, assuming there was some combination of limits surrounding IP addresses, emails, unique devices, or web requests, but no such spam protection existed. There was actually never any need to use a new email address or name with each unique code; it accepted the same details over and over again and pinged the new QR codes to the same inbox. And the promotional website had no issues with receiving bulk requests.

Which means it was possible to fully automate the submission of all 1,000,000 available codes and acquire every single free pint on offer.

The age verification check was also redundant. Any submitted birth date was accepted as being over 18 years old, including future dates, just in case time travellers wanted to come back and relive the great footballing moments with a cheeky drink. As a bonus, the website offered a helpful map of all its pub locations via an embedded Google Maps display, which also featured a handy export option. So every venue across the UK could be loaded into Google Maps as an overlay, and a pub crawl could be planned with the most optimal walking/bus routes between each pint.

The "+" In The Blog Title

It's not over yet. During all of the above inspection I had naturally assumed the upper limit was 1,000,000 pints. Other, more advanced variations of the code were generated in an effort to find a potential second keyspace, but nothing stuck.

Then something else was spotted. Something absurd. The solution to break through to the mythical "infinite free drinks" was so basic that it actually rendered all efforts that came before it completely unnecessary. Every QR code was exactly the same. Yes, literally every single valid coupon number generated the same QR code. The entire voucher input system was hooked up to some generic template which contained a static QR code that was automatically emailed through.

Perhaps someone ran into a deadline, or perhaps it was just deemed too complex or fiddly to generate 1,000,000 unique QRs for physical scanning in thousands of different pubs. Whatever the case, this meant one could rock up to any of the participating venues and have their phone successfully scanned an endless number of times with only one voucher. No fancy account automation or keyspace exhaustion required.

Disclosing The Problem

I thought the pub chain might find all of this quite amusing so I contacted them and explained basically all of the above. They were a little taken aback and said they'd outsourced a bunch of their marketing campaigns to various parties and didn't have the budget to recall all the codes or create a better system. Fair play to them, I thought. This wasn't some big security company that would be expected to think about this stuff - they were just offering some drinks to football fans as part of a wider set of seasonal promotions. Seeing as the whole offer would be ending in a couple of months, we agreed I'd just keep the problem to myself and not make anything too public.

While not said explicitly, I got the strong impression that my reward/bounty for this responsible disclosure was being able to continue acquiring the occasional free pint during the promotional window. So in the end this was an entertaining quick bit of research that stemmed from being randomly handed a voucher for a free drink. Much respect to the pub chain for not freaking out over it (as so often occurs), and my mates and I look forward to stumbling upon more booze-related loopholes in the future.