Photo: Associated Press
Just saw your post come through based on Martin Tobias’ post and he is off on a several things, but in short, there is no widescale problem of users purchasing more than 1 gift card voucher.
Here are some specifics:
First, when a user first hits “buy”, we do a pre-authorization of their card but hold off on settlement until later in the day after the deal is closed. We generally do this for a variety of reasons, but a primary reason is that if a user happens to earn that day’s deal for free through our Me + 3 program, we don’t want to have to charge their card back. Instead we wait to see who has earned a free deal and then process the cards.
A by-product of doing the pre-auth first and the settlement later, is that we can do server side validation (i.e. check for gamers) anytime through the day until the settlement occurs and we’ve reconciled the transaction. What does this mean? It means that today people who think they’ve “found a loophole” just haven’t been told by us yet that they’re violating the one purchase per person rule. We intentionally had that happen today because we expected people to game the system and didn’t want to get into a game of cat and mouse all day. That 50-75% of the purchases were gamed is laughable.
The “code hack” Martin refers to changes things on the client side, but not our server side. Optically it will look like someone has changed their purchase number, but we have the number already locked on the server side.
Each of those gift cards was supposed to be sold to a different person, bringing 1+ million unique customers to Amazon and 1 million new email addresses to LivingSocial’s database.
But a blog post by one of LivingSocial’s competitors, Tippr CEO Martin Tobias, highlights an alleged flaw in LivingSocial’s server code that could have let people cheat, ordering multiple gift cards, and defeating the purpose of the deal.
“Here is the latest problem. Living Social doesn’t do server side quantity validation (at least they didn’t yesterday). Who cares you say? Well Amazon.com for one. Their latest offer of a $20 gift certificate for $10 has the explicit restriction of ONE per customer and no gifts. You see, Amazon actually only wants to discount their product for new customers or existing customers only on $20 of merchandise. If Amazon knew there was a way to buy say 100 vouchers and receive $2000 of Amazon merchandise for $1000, they would probably blow a gasket. Jeff you better sit down. Because Living Social only validates restrictions on order quantity in the client, and not the server, there is a simple inspect element command in many browsers that lets you change the “1” to any number you want.”
Tobias estimates that “thousands” of people could have taken advantage of this flaw, and he says he had been notified about the loophole from several people.
If true, and if many people did exploit it, this could be an annoyance for LivingSocial. Probably no serious repercussions, though.