Pepsi Bottle Exploit!

By idbuythatforadollar
in General Discussion

 Share

Recommended Posts

Experienced

idbuythatforadollar

Posted
Posted (edited)

Copied from Full Disclosure Mailing Group:

//edit: the title should read 'Pepsi' rather than coca cola, if a mod could change it for me that would be just fantastic...

again.jpg

================================================

Pepsi Bottlecap Liner Labeling Information Leak Vulnerability

Advisory Location:

http://dragos.com/pepsi.txt

Release date:

February 18, 2004

Severity:

Pink (Free Music Downloads)

Systems Affected:

Diet Pepsi - 20 FL OZ Bottle (with "1 in 3 Wins a FREE Song" label)

Pepsi - 20 FL OZ Bottle (with "1 in 3 Wins a FREE Song" label)

Sierra Mist - 20 FL OZ Bottle (with "1 in 3 Wins a FREE Song" label)

Description:

During the Super Bowl, Apple and Pepsi co-launched an Ad campain giving away

100 Million songs via Apple's iTunes Music Store. Because of a vulnerability

in the notification of the give-away, attackers can guarentee a free song in

any Pepsi purchase. Pepsi uses an industry standard known as "bottlecap liner

labeling", where the vendor includes notification of fun and prizes. This

method of notification is vulnerable to a pre-purchase notification weakness,

allowing attackers to limit their purchase to products that are known to be

"winners" in the give-away.

Technical Description:

An attacker capable of obtaining physical access to a bottle prior to purchase

may create a non-uniform probability distribution leading to predictable

outcome. By causing the bottle to be inclined at a specific declination, the

attacker may gain partial visibility into result variable thereby bypassing

the natural selection process.

This attack is not new. Prior soft drink distribution versions have been

vulnerable to this attack in the past. Known vulnerable versions have included

the Mountain Dew "Free Soda" give-aways.

Protection:

Vendors should put all Pepsi 20 OZ bottles in a vending machine, which should

mitigate this attack by not allowing physical access before the attacker

purchases the product.

ISS users can add the following TRONS rule to detect this attack:

alert bottle any any -> any any (msg:"pepsi attack"; tilt:>15;

classtype:information-leak; priority:pink;)

This rule may be used to identify downloads of known exploits:

alert tcp any 80 -> any any (msg:"Pepsi exploit download";

content:"pepsi"; nocase; content:"tilt"; nocase;

classification:exploit-download-attempt;)

Vendor Status:

The vendor has not been notified.

Exploit:

Exploits have been observed in the wild and are presumed to be in common use.

A proof-of-concept exploit is available at:

http://www.macmerc.com/news/archives/1270

Contributors:

Ereet Hagiwara

Brian Caswell

Dragos Ruiu

_______________________________________________

Full-Disclosure - We believe in it.

Charter: http://lists.netsys.com/full-disclosure-charter.html

Edited by idbuythatforadollar
Link to comment
https://www.neowin.net/forum/topic/142809-pepsi-bottle-exploit/
Share on other sites
Grand Master

QuarterSwede

Posted
Posted

Unless you are a Pepsi addict this is usless and personally pointless (I like Coca-Cola a lot more). If one wants to buy a Pepsi just to "win" a free song download why not just spend potentially, and most likely, less and just buy the song for $0.99 from iTunes?

The only way it's really worth buying a pepsi to win a song download from iTunes is if Pepsi offered the deal on 2 Liter bottles.

Veteran

isus

Posted
Posted
  Jstphish said:
Unless you are a Pepsi addict this is usless and personally pointless (I like Coca-Cola a lot more). If one wants to buy a Pepsi just to "win" a free song download why not just spend potentially, and most likely, less and just buy the song for $0.99 from iTunes?

The only way it's really worth buying a pepsi to win a song download from iTunes is if Pepsi offered the deal on 2 Liter bottles.

think about it this way...

it costs me $1 even to buy a pepsi. it costs $0.99 to buy a song. win or lose, i am still getting a soda. if i win, that's $0.99 i save. usually i would waste that $1 on mountain dew, sprite, or whatever looks appealing. so now i can buy a diet pepsi (the only ones around here with the game caps), which is healthier for me (no sugar), tastes the same as regular, and i have a chance to win a soda.

sounds like a good deal to me.

plus, buying a soda, you can use cash, so you don't have to use a credit card.

Experienced

me101 Veteran

Posted
  • Veteran
Posted

Been doing this trick for years...

But buying a $1 drink (or even considerably more at a sporting or entertainment event!) to hopefully get a 99c iTunes download music which I can only either burn onto CD or put into an iPod, nah, think i'll keep my money...

  Quote
The only way it's really worth buying a pepsi to win a song download from iTunes is if Pepsi offered the deal on 2 Liter bottles.

This would be the best, considering that I can usually buy a 2L bottle of Pepsi for like 79c, once bought a slew of 2L Pepsi for 49c... now that would have been a good deal!

If you want to put any iTunes code that you may find under a Pepsi bottle cap, why not visit Tune Recycler...

Grand Master

radioboy

Posted
Posted
  me101 said:
But buying a $1 drink (or even considerably more at a sporting or entertainment event!) to hopefully get a 99c iTunes download music which I can only either burn onto CD or put into an iPod, nah, think i'll keep my money...

Burn to CD

Rip to MP3

lather

rinse

repeat

or just go line out to line in and record away

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.