- This topic has 3 replies, 2 voices, and was last updated 8 years, 8 months ago by
.
-
Posts
-
Hopefully I’m wrong, but if I put a ticket’s QR code into a QR reader, I get the readout:
https://[mysite.com]?event_qr_code=1&ticket_id=ANYTHING&event_id=12345I can put anything into ticket_id and if I’m logged in and the event_id is correct, the response is always “The ticket with ID [ANYTHING] was checked in.” Does this mean the software isn’t checking the ticket number?
As ticket IDs are sequential, this is quite easy to hack as you would appreciate. Is there a way to get it to check against the Security Code AND event_id instead?
Thanks again,
Adam
Hello Adam!
Thanks for getting in touch with us!
I can put anything into ticket_id and if I’m logged in and the event_id is correct, the response is always “The ticket with ID [ANYTHING] was checked in.” Does this mean the software isn’t checking the ticket number?
The ticket_ID part of the URL refers to a specific ticket that has a unique ticket number, so it is checking agains a specific ticket. This is the way the system has to check in a specific ticket and not any random.
Bear in mind this process of checking in attendees only happens if the user is logged in and has the right admin capabilities. Not any logged in user can check-in attendess if that’s what you mean by “easy to hack”.
Does it make sense to you? Please let me know if you have other questions and I’d be happy to help.
Best,
VictorHey there! This thread has been pretty quiet for the last three weeks, so we’re going to go ahead and close it to avoid confusion with other topics. If you’re still looking for help with this, please do open a new thread, reference this one and we’d be more than happy to continue the conversation over there.
Thanks so much!
The Events Calendar Support Team
- The topic ‘QR codes can be hacked to check in any ticket number’ is closed to new replies.