Introduction
The Swiss store called Jumbo held a giveaway with a few good prizes. In this article, I’ll go through how I automated the giveaway and won many prizes.
How I did it
First of all, I had to get an overview of what was needed and which steps had to be completed to win. Hurdles such as Captchas, WAF (Web Application Firewall), Rate limiting, Proxy bans were not in place. Meaning that there weren’t many security measures set up. So I just had to follow the steps done in the browser, copy them, edit them and automate them.
All these steps are explained in the next chapters:
The First Step
The first step was to register a user. To register we only needed the first name, last name and email address. Below are the remaining fields and their function:
nonce: This is an abbreviation for “number only used once”; it’s probably used to generate the fingerprint.
ip_address: This field contains the IP address of the user.
user_agent: An User Agent is used to identify the sender. To prevent flagging I’ll use random user agents. The user agent in the request headers should match with the one sent in the request body.
Using Python requests the first step can be seen below. For each registration, a random profile was used. This meant a different first name, last name, email, IP address and user agent.
After we sent the request I got a response with a fingerprint. The fingerprint was most likely used to track the session.
The Second Step
The second step was used to verify a user e.g. check if he already entered the giveaway. If the email address was already used you wouldn’t be able to enter the giveaway again.
This is the response we get after we sent the verification request.
The Third Step
The third and final step was used to check if you won something. You can try three times in a row with the same account. The request sent looked like this.
The response if you didn’t win:
The response if you won:
What can we use from this response? First of all the user never knows what he won. This can be either a boring prize such as a bag or a special prize like a battery drill. With the response, we can tell the category, the id and the remaining stock of the prize. After some wins, we can tell that category 1 wins are a lot more common than category 3 wins (1:100). Knowing that we can guess that the category 3 prizes are the good ones.
Check prizes
When playing around with the URL https://gewinnen.jumbo.ch/ I figured out that the site was built with WordPress. From my experience, I knew that you get all subsites with the following URL https://gewinnen.jumbo.ch/?s=. An empty search lists all pages.
So what are these stores pages? These pages are used to check wins by the Jumbo staff. The employee enters the code provided by the customer and checks what he won. This page shouldn’t be hosted on the same website as the giveaway itself.
It works
