pepsi hacked!

Pepsi Bottlecap Liner Labeling Information Leak Vulnerability

Advisory Location: http://dragos.com/pepsi.txt

Release date: February 18, 2004

Severity: Pink (Free Music Downloads)

Systems Affected:

Diet Pepsi - 20 FL OZ Bottle (with "1 in 3 Wins a FREE Song" label)
Pepsi - 20 FL OZ Bottle (with "1 in 3 Wins a FREE Song" label)
Sierra Mist - 20 FL OZ Bottle (with "1 in 3 Wins a FREE Song" label)

Description:

During the Super Bowl, Apple and Pepsi co-launched an Ad campaign giving away
100 Million songs via Apple's iTunes Music Store. Because of a vulnerability
in the notification of the give-away, attackers can guarantee a free song in
any Pepsi purchase. Pepsi uses an industry standard known as "bottlecap liner
labeling", where the vendor includes notification of fun and prizes. This
method of notification is vulnerable to a pre-purchase notification weakness,
allowing attackers to limit their purchase to products that are known to be
"winners" in the give-away.

Technical Description:

An attacker capable of obtaining physical access to a bottle prior to purchase
may create a non-uniform probability distribution leading to predictable
outcome. By causing the bottle to be inclined at a specific declination, the
attacker may gain partial visibility into result variable thereby bypassing
the natural selection process.

This attack is not new. Prior soft drink distribution versions have been
vulnerable to this attack in the past. Known vulnerable versions have included
the Mountain Dew "Free Soda" give-aways.

Protection:

Vendors should put all Pepsi 20 OZ bottles in a vending machine, which should
mitigate this attack by not allowing physical access before the attacker
purchases the product.

IDS users can add the following TRONS rule to detect this attack:

alert bottle any any -> any any (msg:"pepsi attack"; tilt:>15;
classtype:information-leak; priority:pink;)

This rule may be used to identify downloads of known exploits:

alert tcp any 80 -> any any (msg:"Pepsi exploit download";
content:"pepsi"; nocase; content:"tilt"; nocase;
classification:exploit-download-attempt;)

Vendor Status:

The vendor has not been notified.

Exploit:

Exploits have been observed in the wild and are presumed to be in common use.
A proof-of-concept exploit is available at:
http://www.macmerc.com/news/archives/1270

Contributors:

Ereet Hagiwara
Brian Caswell
Dragos Ruiu

que bonito... pero para eso esta el kazaa xDDDDDD

Cita de: vicecity en 21 Febrero 2004, 19:30

que bonito... pero para eso esta el kazaa xDDDDDD

ein?

el kazaa inclina las botellas de pepsi? XDDD

salu2

PIV 2533 @ 2720Mhz | 512MB DRR333 @ 358 | 160 Gb + 40 Gb Seagate Barracuda

En la Edad Media la Iglesia robaba con los diezmos. En el siglo XXI la SGAE roba con sus cánones.

a ver, abres una pepsi y si te sale que ganaste una cancion bla bla bla la puedes descargar con el itunes o no recuerdo con que.
Pero... porque gastar en una pepsi si puedo descargar esa cancion 1000 veces del kazaa o del emule ? xDDDDDDDDDDDDDDDDDDDDDDDD

Es una forma de bajar una cancion "gratis" y legal.

Pepsi hizo esto porque en estados unidos, el pais "de la libertad" detubieron a varios chavales acusados de pirateria. Esta gente se enfrenta a acusaciones realizadas por las asociaciones de discograficas y demas. Pepsi penso en un modo de sacar provecho, y realizo esta campaña. En anuncios por television donde salen los acusados explicando su caso, dicen que para que no les pasen lo que a ellos compren pepsi, ya que les puede tocar alguna cancion gratis para descargar...

Pepsi es otra empresa que se aprovecha de esto.

Lo que se explica en este texto es que puedes obtener una botella de pepsi que siempre este premiada... lo que aqui dicen "pepsi hackeada"... En el enlace que nos dice el texto encontraremos el "exploit" xDD Aunque no es nada nuevo: http://www.macmerc.com/news/archives/1270

De momento en España no detienen a nadie por bajarse musica de internet, pero habra que tener cuidado porque cada vez nos parecemos mas en los aspectos negativos a los yankies...

Saludos

hard-h2o modding Foros de ayuda Yashira.org Videojuegos indetectables.net

Noticias Informatica Seguridad Informática ADSL Foros en español eNYe Sec

Todas las webs afiliadas están libres de publicidad engañosa.