Are the empty seats of certain matches the symptoms of an evil which is eating away at the online ticketing of the African Cup of Nations organized in Ivory Coast?
“The official site and the sales service contain computer vulnerabilities that are easy to exploit to buy tickets by setting your own price,” denounces Clément Domingo, an ethical hacker who alerted the organizer on social networks.
In just a few clicks and a “low technical level maneuver”, this specialist managed to buy a nice place for… 11 CFA francs or 0.01 euros.
Enough to get a lot for a few euros and start a resale business.
Worse, to harm the good organization of the competition organized by the African Football Confederation (CAF) by blocking places at lower cost.
“The good plan is already circulating on the darknet”
“There is clearly a potential cyberattack that is easy to carry out for someone who has the basics of cryptography protocols and the good plan is already circulating on the darknet,” warns Clément Domingo, expert on African cyberspace.
The cause is a security flaw which makes it easier to modify the site's scripts, the computer code invisible to the visitor's eyes which orchestrates the exchanges.
The CAN ticket office is very subject to cyberattacks!
You can buy any ticket of 10,000 FCFA or more for only 10 FCFA 🤯😬😬😬
As a reminder, some people have certainly purchased tickets en masse 🎟 online (almost) free for… https://t.co/ 3btDVKZV5B pic.twitter.com/qTySwdMtwv
— SAXX (@_SaxX_) January 19, 2024
An ill-intentioned person can thus choose their amount before finalizing their purchase.
“The final price of a basket is not normally sent to the payment provider by the Internet browser but is provided by a server in order to prevent someone from modifying the amount using a bug on a site” , deplores Matthieu Dierick, cybersecurity expert for the company F5.
“It’s the basics of cybersecurity”
“It’s the basis of a commercial website,” underlines this specialist who also tried to buy tickets for a few cents.
“It is surprising to find this kind of error because it is the basics of cybersecurity which has not been put in place while there are IT skills in Egypt, where CAF has its headquarters or in Ivory Coast, the organizing country” regrets Clément Domingo.
Requested this Friday afternoon by Le Parisien-Aujourd'hui en France, the African Football Confederation did not respond to our requests.
In the meantime, the ticket office's payment platform had gone offline and displayed an IT maintenance message at the end of the afternoon.
The sign of a resolution of the problem?