Dicounts by Design 3: Same-same different day

- 2 mins read

Having now stumbled upon two diferent fortune wheel marketing services (Sleeknote and Poptin) suffering from the same underlying issue on two different climbing related sites, I recently noticed that the first site, that fell into my radar with this problem, had finally substituted their coupon code raffle service with a new one called Wheelio. Being now a self-proclaimed expert in detecting these issues, I was curious to see if the new service had the same problem. Turned out, I was right. However this time they had put an interesting spin on it.

Requests

The Spin

Like with the two previous culprits, the client embeds a script tag in their site that loads the inital Javascript file (index.min.js) from Wheelio’s server. This minified and obfuscated Javascript file then sets up everything to display the fortune wheel and sends a request to Wheelio’s server to get the settings for the wheel. These settings also include all the coupon codes for the corresponding site/campaign.

Requests Getting settings

However, unlike Sleeknote, which loaded the codes in a base64 encoded form, and Poptin, which loaded them in plaintext, Wheelio loads the settings in an encrypted and salted form.

Decoded encryption

Then the index.min.js checks if it has access to the Crypto.js library and if present, will extract the salt from the base64 encoded string and decrpyt the settings using the AES cipher and the shop’s domain as the secret key.

Extracting the salt

The decrypted settings are then used to display the wheel and the coupon codes.

Showing global variables

Conclusions

So again, another online marketing company has made the same mistake of sending all coupon codes within a raffle to the client and the prize is picked on the client side. This time they have at least shown an interesting approach to obfuscating the process, though it is still a small badage on a more underlying design problem. Since Wheelio is a paid service that I didn’t sign up for, I couldn’t verify whether there was any disclaimer or discouragement againt using the service for raffling out free/valuable goods or services. Either way, I see this as a problem that need to be addressed by the developer, because during my research I saw multiple sites giving out free products. I contacted the developer multiple times letting him know about the problem but he has not responded to any of my messages.