QuicKicks

Inspiration:

Our ultimate inspiration was to enable the easy and fair purchase of popular sneakers for all. Shoes such as the Adidas Yeezy Boost are extremely popular, selling out nearly instantly online and attaining resale values of up to 500% the price of retail.

What it does:

In today's world of online buying, consumers are often cheated out of products by automated scripts that purchase items faster than humanly possible. One solution to this issue was a lottery system produced by Adidas, in which users would randomly get let in to purchase by IP address. However, in recent Adidas sneaker drops, this system was being bypassed by technically-savvy users in order to accumulate many pairs for the sole purpose of resale, leaving regular fans of the shoe sneaker-less. By utilizing a vulnerability in the Adidas website, we allow our users to skip their lottery queue and maintain a time-competitive advantage.

The simple and accessible Android interface we've developed prompts users to log in, choose the shoe they want to purchase, choose their shoes size, solve a recaptcha, then submit this request to Adidas’s server. If the shoe is successfully added, our app will take the user to their shopping cart to checkout.

How we built it:

We implemented a previously discovered open-source backdoor add to cart procedure that was posted on Twitter by fellow sneaker fans. However, the backdoor in its given state was user unfriendly and difficult to set-up. Our client android application interacts with our server running on Amazon EC2 to submit Adidas account log-in info, a requested shoe and corresponding size. Our server returns full inventory counts for a given shoe, as well as adsd that shoe to a user's cart bypassing any standard waiting periods. Our server interacts with Adidas by using a library called htmlunit, facilitating fast and easy HTML requests with full JS support.

Challenges:

In order to prevent bots from purchasing sneakers, Adidas implements Google reCaptcha to reduce the spamming of server requests. However, for us to be able to add a shoe to a user’s cart, we would need to execute this Google reCaptcha and receive the data from it to send to the Adidas servers. Google reCaptcha by default restricts us from getting a captcha token while not on the Adidas domain. To workaround this, we run a local Android web server that spoofs this in order to receive the necessary captcha token.

We originally intended to have a client-focused base in which the client application runs the backdoor vulnerability. However, we could not find appropriate tools to accomplish what we needed on Android (lack of full java / java.x implementation). Thus, we had to introduce an external server to facilitate the add-to-cart process for us.

Accomplishments:

We created a threaded server implementation for the backend to prevent lag from the client’s perspective. We also allow the client to see full stock levels of a given shoe, rather than simply in stock / sold out.

What I learned:

Most of our team had to learn Android application development for the first time in addition to HTML / JavaScript for the backend server interaction code. We had never deployed code to a running server on Amazon EC2 before, so that was a new experience as well.

What's next for QuicKicks

Targeting other mobile platforms, app notifications for hot release dates, and encouraging talks about how to develop fair online consumption policies to protect consumers from automated programs.