Hackers Cut in Line at the Burning Man Ticket Sale—And Get Caught

from BBS upload
Jim Rankin/Toronto Star/Getty Images

Burning Man has practically gone mainstream. The once-fringe desert camping festival is now cultural fodder for The Simpsons and Taco Bell commercials. Celebrities and CEOs routinely attend. So it’s no surprise that 40,000 Burning Man tickets sold out in less than an hour last Wednesday when they went on sale.

But software engineers in Silicon Valley hacked into the Burning Man ticketing system powered by Ticketfly to cut to the front of the queue. Who needs luck when you have engineering skills and you’re willing to use ’em for your advantage?

Well, apparently everyone. Burning Man officials, not ones to let cosmic karma pass them by, announced on Friday that they will find and cancel the hacked ticket orders.

“The good news (for us, not them) is that we can track them down, and we’re going to cancel their orders,” according to Megan K. Miller, Burning Man’s director of communications. “Steps are being taken to prevent this from happening again in future sales.”

While 80,000 would-be Burners all over the world waited their turn in a so-called “first come first serve” online queue to purchase tickets, 200 software-savvy engineers discovered a design flaw on the ticket page that allowed them to generate a spot ahead of everyone else in line. 1 2

During the ticket sale, more reports surfaced on social media claiming Ticketfly had somehow been susceptible to hacking. Even before tickets officially sold out, the perception that hackers were cheating the system was so prevalent that it quickly became a source of both resentment and parody among Twitter users.

On Thursday, Burning Man’s top brass released a statement after compiling technical information from Ticketfly, confirming that a backdoor had been created by hackers.

“Approximately 200 people created a technical ‘backdoor’ to the sale and made their way to the front of the line,” according to the statement. “Absolutely no tickets were sold before the sale opened, but they were able to purchase the first batch of tickets when the sale started.”

Several engineers and web developers on a Burning Man Reddit thread speculated that hackers were able to create this backdoor after discovering a few lines of JavaScript code on the ticketing website that gave preeminent access to tickets three minutes before they officially went on sale at noon on Wednesday.

“They left code in the page that allowed you to generate the waiting room URL ahead of time,” said Michael Vacirca, a software engineer at a large defense corporation. “If you knew how to form the URL based on the code segment then you could get in line before everyone else who clicked right at noon.”

Burning Man admits the error and says those hacked tickets will be put back up for grabs during the scheduled last-minute sale in August.

The Burning Man ticket distribution system has always been met with its fair share of criticism. Whether the tickets were distributed via a lottery system or a website that kept on crashing, the fact is that there have never been enough tickets to meet the demand. There will always be those Burning Man hopefuls who feel like they’ve been cheated out of their destined spot to adult Disneyland.

The way this year’s sale operated, however, didn’t help to dissipate the resentment. Those interested in purchasing tickets were placed in an online queue as each sale was processed and given a time estimate as to how long they would be kept waiting before they could purchase tickets. The time estimates kept shifting, going from an 24 minute wait, to 46 minutes, back down to 18 minutes, to then “more than an hour,” which might as well have read, “abandon all hope ye who enter here.” At one point, the line was inexplicably “paused” for several minutes, causing another nerve-wracking moment on social media.

This drastic, back-and-forth change in wait times gave those in line the illusion that somehow hackers were cutting in front of them and bumping them out of scoring tickets. Burning Man’s social media team responded by saying that the wait times fluctuated based on how long it took each buyer to complete the purchase. It surely didn’t qualm any anxiety to have used such an unpredictable factor as a counter, instead of a fixed number (“There are 39,999 people in front of you trying to buy tickets”).

This is not the first time Silicon Valley has been criticized for tampering with Burning Man’s ideals and processes. Last year’s festival garnered unflattering feedback from Burning Man die-hards after venture capitalists, executives and celebrities descended on the desert with air-conditioned camps, personal assistants and other VIP-perks. In recent years, Larry Page, Sergey Brin, Elon Musk, Jeff Bezos and Mark Zuckerberg have all scored tickets to Burning Man.

It seems like now, Silicon Valley is leveraging more than its money to get in front of the line.

1 Correction: An earlier version of this story reported that “During the ticket sale, Rob Banagale, the San Mateo-based founder of the Gliph messaging app, tweeted that he had “figured out a hack” to get to the front of the line and had the screenshot to prove it.” On Monday, Banagale got in touch with WIRED to explain his tweet was a joke. 2 Correction: A second engineer, Jonathan Hart, quoted in the earlier version of this piece later got in touch with WIRED over Twitter to say he too was joking was not talking about hacking when he tweeted that he had navigated Ticketfly’s web servers and “crawled out” with two tickets. We regret both errors.