The Irony of OctoFence: Rome’s Colosseum Tickets and a Digital Mafia
In recent times, a rather bizarre episode unfolded in Rome, where tickets to the Colosseum, a prized historical monument, became unattainable through its official website. Investigations by journalists and a revealing report by the famous Italian TV show “Le Iene” unearthed a mafia-led bot operation. Check out here the episode and here (after ending reading the article) the GitHub repo about it.
This operation systematically bought out all the tickets at €18 a pop from the official site only to hawk them near the Colosseum for a tidy sum of €50 to €75. The outcry led to the Rome Administration, amidst allegations of its affiliation with the mafia, implementing OctoFence for bot protection.
OctoFence, a product of Blockdis, promises high-security services to Italy’s Public Administrations. Their ambitious claim of covering 50% of these administrations by year-end seems like a robust response to such nefarious activities. However, a closer examination reveals a scenario bordering on farce. The venture reeks of opportunism, perhaps aimed at siphoning funds from the hefty tenders, known as ‘bandi,’ that cities like Rome are privy to, courtesy of the EU or national investments.
Both OctoFence and Blockdis websites sport free templates, yet talk big on their antibot security capabilities, a claim that falls flat when one notices the use of reCAPTCHA v3 on their sites. The irony thickens with open ports and basic path traversal or header manipulations allowing unrestricted access, bypassing the “antibot” security.
Now, let’s delve into the OctoFence’s “security” deployed on ‘ecm.coopculture.it,’ the official Colosseum ticketing site. A laughably simplistic JavaScript code checks for specific captcha-solving extensions in the browser, a measure easily circumvented by changing the extension ID. Moreover, the page and website don’t even have captchas.
The remaining part of the code, obfuscated in JSFuck, does elementary checks, like looking for the user agent attribute. The real “antibot” part, which is supposed to be the fortress against bot invasions, merely requires a user to find and evaluate four variables, set some cookies, and voila, the antibot is “solved.”
This exploration into the so-called antibot system unveils a narrative of incompetence, or worse, a possible scam designed to drain millions from public funds. This façade of security, coupled with the myriad vulnerabilities across Rome’s, Blockdis, and OctoFence’s digital assets, paints a concerning picture of Italy’s struggle against digital criminality.
The hapless attempts at bot prevention through OctoFence highlights a deeper malaise — of tech inadequacy and perhaps a shade of corruption that allows such farcical measures to see the light of day. This episode is a stark reminder of the urgent need for genuine, robust cybersecurity measures in public systems, to ensure that the rich historical and cultural heritage of cities like Rome remains accessible to all, unmarred by the shadows of digital mafias.
Check out the GitHub repository for a deeper dive into the code and the gaping holes in OctoFence’s “security” measures.
