Haggis
December 28th, 2004, 11:16 PM
First, I'll give a little background to this. At my workplace, there were a few stacks of Folgers coffee pallets. I think nothing of this, except something caught my eye. On the cardboard tray there were the words "Free 10 minute calling card inside". I though to myself..."This can't be this easy". I climbed on top and peeled back the plastic lid on one. There was no card inside. However, on the foil seal, I noticed a 10 digit alphanumeric code. This, I thought, will be useful. I wrote it down and checked a few other packages. Some had different codes, but a few of them had the exact same one. I write down three of them, and go home for the night.
The rules of the contest state that you can only use this code once per purchase, and only three codes per email address. The fact that I found a couple codes more than once suggests that you can use each code up to three times per email address.
I log on to the website, www.folgers.com/callhome. I see that you must enter information for it. Lame. Then I got a thought... "Dodgeit". I entered random letters for all info and faked some location information. Then, I used the account "folgers1@dodgeit.com". Submit. Easy. There was some minor hassles on the dodgeit.com end, but more on that later. Fearful I would have to enter the same info all over again, I hopefully hit the "back" button. To my surprise, all my info stayed the same.
One can submit the same code to the same email address thrice by hitting submit and back three times in a row. Once I burned the three for folgers1@dodgeit.com, I simply changed it to folgers2@dodgeit.com. You get my drift. I did this all the way to folgers10@dodgeit.com.
On the dodgeit side of things, there was a small problem. The emails were being received fine, but a formatting error would chop off the last few letters off the URL. The rest of the letters were present, but not included in the hyperlink. It may be a problem with Firefox specifically, others may have better luck.
For example, I would get " http://folgers.com/cgi-bin/blitzen/card.cgi?KB4XQ9VEpF_sbytref1@qbqtrvg.p" instead of " http://folgers.com/cgi-bin/blitzen/card.cgi?KB4XQ9VEpF_sbytref1@qbqtrvg.pbz_.shtml " I simply clicked the first link into a new tab, and then typed in the "bz_.shtml" to the location bar. Alas! The code is returned. The 10 number code returned was luckily able to be copied and pasted. I went through all my email addresses with the only hassle being entering in the last part of the URL.
One thing I noticed is that their coding algorithm in the URL is quite weak. I noticed the line 'sbytref1@qbqtrvg.pbz' in the URL was suspicious. Assign the letters of the alphabet a number relative to it's position (eg. A=1, B=2...) The letters are offset by 13. 'sbytref1@qbqtrvg.pbz' becomes 'folgers1@dodgeit.com'. The underscores serve as 'stop' points to designate when the code ends and when the email address ends. With this info in hand, perhaps someone with more skills than I could go about finding a way to manipulate the code portion. One could also write a section of code that would automagically send codes and retrieve them to a list of email addresses.
With and hour and a half of work, I netted 50 codes at 10 minutes a piece. 8 hours and 20 minutes.
Here's a few codes to get you all started... " GFQBGFU7XB " " BFXLUYPBBC " " HBGC8WKMDG "
RTPB: "Anything free must be exploited"
Edit: Yes. They all work. I wouldn't be posting this if they didn't.
The rules of the contest state that you can only use this code once per purchase, and only three codes per email address. The fact that I found a couple codes more than once suggests that you can use each code up to three times per email address.
I log on to the website, www.folgers.com/callhome. I see that you must enter information for it. Lame. Then I got a thought... "Dodgeit". I entered random letters for all info and faked some location information. Then, I used the account "folgers1@dodgeit.com". Submit. Easy. There was some minor hassles on the dodgeit.com end, but more on that later. Fearful I would have to enter the same info all over again, I hopefully hit the "back" button. To my surprise, all my info stayed the same.
One can submit the same code to the same email address thrice by hitting submit and back three times in a row. Once I burned the three for folgers1@dodgeit.com, I simply changed it to folgers2@dodgeit.com. You get my drift. I did this all the way to folgers10@dodgeit.com.
On the dodgeit side of things, there was a small problem. The emails were being received fine, but a formatting error would chop off the last few letters off the URL. The rest of the letters were present, but not included in the hyperlink. It may be a problem with Firefox specifically, others may have better luck.
For example, I would get " http://folgers.com/cgi-bin/blitzen/card.cgi?KB4XQ9VEpF_sbytref1@qbqtrvg.p" instead of " http://folgers.com/cgi-bin/blitzen/card.cgi?KB4XQ9VEpF_sbytref1@qbqtrvg.pbz_.shtml " I simply clicked the first link into a new tab, and then typed in the "bz_.shtml" to the location bar. Alas! The code is returned. The 10 number code returned was luckily able to be copied and pasted. I went through all my email addresses with the only hassle being entering in the last part of the URL.
One thing I noticed is that their coding algorithm in the URL is quite weak. I noticed the line 'sbytref1@qbqtrvg.pbz' in the URL was suspicious. Assign the letters of the alphabet a number relative to it's position (eg. A=1, B=2...) The letters are offset by 13. 'sbytref1@qbqtrvg.pbz' becomes 'folgers1@dodgeit.com'. The underscores serve as 'stop' points to designate when the code ends and when the email address ends. With this info in hand, perhaps someone with more skills than I could go about finding a way to manipulate the code portion. One could also write a section of code that would automagically send codes and retrieve them to a list of email addresses.
With and hour and a half of work, I netted 50 codes at 10 minutes a piece. 8 hours and 20 minutes.
Here's a few codes to get you all started... " GFQBGFU7XB " " BFXLUYPBBC " " HBGC8WKMDG "
RTPB: "Anything free must be exploited"
Edit: Yes. They all work. I wouldn't be posting this if they didn't.