Discounts by Design 2: Revenge of the Lottery Wheel
Preface
Barely a month had passed since I first discovered the Sleeknote spin-to-win wheel of fortune bug when I stumbled on another fortune wheel under similar circumstances as last time. Another climbing Youtuber and professional climber Stefano Ghisolfi did a sponsored segment at the end of his video where he called people to navigate to Lattice Training’s site to potentially win an ‘Ultimate Training Bundle’.
Naturally I was again curious of the prize and immediately upon seeing that the draw was using a fortune wheel my interests were peaked even more.
The dig
Being already familiar with how the Sleeknote pop-up worked I already had a hunch that this one would be similar. I opened up the developer tools, searched out where the DOM elemnet where the discount code would be placed and put a breakpoint there. I also had the network tab open to see what will be sent to the remote server as I spin the wheel.
It was clear that this pop-up wasn’t made by Sleeknote but rather by another digital marketing and pop-up service provider named Poptin. As this was another company I had hope that they would surely have designed their fortune wheel the correct and secure way by sendin the details to the remote server first and then returning you the discount code. However, I was again disappointed.
Like with the Sleeknote spin-to-win implementation, no requests are send when you spin the wheel and when you click to send your details, the discount code is already present in the request that is sent out. (Those three requests are the only ones sent out after entering your details and clicking submit)
Searching the DOM for the discount code also gives two results, one where I initially put a breakpoint on and the other one where it stands next to all other dicount codes.
Refreshing the site again after clearing cookies and searching again for the code we got before we again find that they are all there. What’s egregious is that even though Sleeknote’s spin-to-win was as broken as this one, they at least included the discount codes in a base64 encoded form. The Poptin solution here doesn’t even do that and has them all in plaintext.
{
"prizes": {
"000003": {
"weight": "0",
"label": "FREE training bundle",
"code": "BUNDLEGRANDPRIZE",
"loosing_option": false,
"redirect_to": false,
"redirect_to_options": {},
"chances": 0
},
"1697452167601": {
"weight": "26",
"label": "100% off a consultation, with a Performance Coaching Plan",
"code": "LATTICECOACH100",
"loosing_option": false,
"redirect_to": false,
"redirect_to_options": {},
"chances": 2.03
},
"1697452178696": {
"weight": "23",
"label": "50% off your first month of training, with a Performance Coaching Plan",
"code": "50PERFORMANCE",
"loosing_option": false,
"redirect_to": false,
"redirect_to_options": {},
"chances": 1.8
},
"1697622441774": {
"weight": "26",
"label": "20% off products",
"code": "20TRAININGSHOP",
"loosing_option": false,
"redirect_to": false,
"redirect_to_options": {},
"chances": 2.03
},
"1697622510255": {
"weight": "200",
"label": "15% off products",
"code": "15TRAININGSHOP",
"loosing_option": false,
"redirect_to": false,
"redirect_to_options": {},
"chances": 15.68
},
"1697622522131": {
"weight": "1000",
"label": "50% off a remote assessment",
"code": "50REMOTEASSESSMENT ",
"loosing_option": false,
"redirect_to": false,
"redirect_to_options": {
"redirect_to_url": "https://latticetraining.com/product/my-fingers/"
},
"chances": 78.46
}
}
}
Somewhat devious is also that the promised ‘chance to win the “Ultimate Training Bundle” is actually impossible according to this configuration.
Triage
I contacted the folks at Poptin about this issue but after numerous attempts to contact them, they have not got back to me on this issue.