Fact checking is important:<p>Tippr.com Guy:<p><pre><code> "If Amazon knew there was a way to buy say 100 vouchers and receive $2000 of
Amazon merchandise for $1000, they would probably blow a gasket.
Jeff you better sit down. "
</code></pre>
livingsocial disclaimer: (I bought one - apparently I could have bought more. :-)<p><pre><code> "* Amazon is not a sponsor of this promotion."
</code></pre>
This is a customer acquisition/affiliate/advertising play on living's social's part. Plus, they'll probably make some money on breakage [1] which is a component of all these coupon vendors. Certainly got my attention.<p>With regards to the exploit - I don't really get it - you don't get the Gift Certificate right away - I still haven't received mine, though I did get an email:<p><pre><code> "Thanks for getting in on this sweet deal from LivingSocial:
$20 Amazon Gift Card*
We'll send you an email tomorrow letting you know how you can get
your Amazon Gift Card* code"
</code></pre>
Doesn't this give LivingSocial the opportunity to validate whether I'm receiving more than one coupon at a time? If all the deals go through this server side validation, does it really matter if the someone tries to play games on the client side and put in 999 coupons (and, supposedly, pays for them) - I'm presuming LivingSocial reserves the right to change that number back to "1" (and probably take their time returning your money)<p>[1] <a href="http://en.wikipedia.org/wiki/Breakage" rel="nofollow">http://en.wikipedia.org/wiki/Breakage</a>
According to Business Insider, LivingSocial's CEO's has said this is not a problem: <a href="http://www.businessinsider.com/livingsocial-server-flaw-2011-1" rel="nofollow">http://www.businessinsider.com/livingsocial-server-flaw-2011...</a><p>"Tim O'Shaughnessy: Just saw your post come through based on Martin Tobias' post and he is off on a several things, but in short, there is no widescale problem of users purchasing more than 1 gift card voucher.<p>Here are some specifics:
First, when a user first hits "buy", we do a pre-authorization of their card but hold off on settlement until later in the day after the deal is closed. We generally do this for a variety of reasons, but a primary reason is that if a user happens to earn that day's deal for free through our Me + 3 program, we don't want to have to charge their card back. Instead we wait to see who has earned a free deal and then process the cards.<p>A by-product of doing the pre-auth first and the settlement later, is that we can do server side validation (i.e. check for gamers) anytime through the day until the settlement occurs and we've reconciled the transaction. What does this mean? It means that today people who think they've "found a loophole" just haven't been told by us yet that they're violating the one purchase per person rule. We intentionally had that happen today because we expected people to game the system and didn't want to get into a game of cat and mouse all day. That 50-75% of the purchases were gamed is laughable.<p>The "code hack" Martin refers to changes things on the client side, but not our server side. Optically it will look like someone has changed their purchase number, but we have the number already locked on the server side."
Honest question to fellow hackers and entrepreneurs:
Do we have to take every opportunity to put down your competition? Are there not enough venues to market yourself?<p>Wouldn't a simple post like this be enough?
<i>LivingSocial does not guarantee that you get what you ordered like Tippr does</i>.
I'd hardly call it "hacked". The post is oddly smug to claim that LivingSocial got gamed easily and their "design" is flawed and that their own solution is better.<p>Meh. I'll pass. Such a blog post about a competitor isn't the best way to brag about your own product.
LivingSocial has already said that they are only going to allow one GC purchase per credit card number.<p>So multiple purchases under one account, or multiple accounts are going to fail when they tabulate tomorrow.<p>Also, they are being issued as Amazon vouchers, not really GC, which allows only one voucher per Amazon account. If someone managed to get 100, they would need 100 Amazon accounts.
I know the post is by a competitor, but wouldn't telling Living Social about it first and giving them time to fix it before blogging be the "right thing" to do?
This really spooked me at first ... Just by reading the title, my first thought was that their servers got hacked maliciously and my financial data I just added today was compromised. I'm glad to see it was something more innocent :)<p>Talk about bad PR ... that'd be the worst they could get, if they got hacked on the day they're likely seeing their most signups ever!
Don't get too excited.<p>LivingSocial disabled this already (the trick doesn't work any more), and all people who tried this trick earlier today will simply get an email tomorrow saying that they are not eligible because they ordered more than 1 gift certificate.<p>There's simply too much money at stake for LivingSocial not to make sure that people only get 1 gift certificate each.
LivingSocial don't process the credit cards until after the deal is closed.<p>It wouldn't take 10 minutes to have an engineer interrogate the database to raise any orders that have a quantity greater than 1 and/or a total amount more than $10.<p>To claim that LivingSocial has been "hacked" is sensationalism. While I think it was a low blow, I can understand why a non-technical CEO would try this stunt but I'd have expected more sense from a technical person who should know how easy it would be to see this happening on LivingSocial's back end.
Doesn't appear to work now at least. Submitting any positive number as the value for purchase_order_quantity still results in the website reporting that I'll be charged for one.
LivingSocial didn't skip server-side validation - they delayed it. Now they can identify cheaters who were suckered by false reports of a loophole. Doesn't look so dumb to me.
I think this brings up an interesting point of discussion: what should sites do now and what should they do later?<p>In this case, a quick server-side check that did the same thing as a client-side validation seems like a no brainier, but what about bigger, more complex actions?<p>What kinds of actions are you guys deferring while actually telling the customer something else (and notifying them later if something ultimately fails)?
If you really wanted to get multiple deals, wouldn't it make more sense to just make another LivingSocial account with a different e-mail address?<p>That way if/when they invalidate all of the orders from people who ordered more than 1, you won't miss out on the deal.