My good friend recently told me during one of our weekly tennis games about this whatsapp account that you could message your details to queue for a ticket for the train to Johor Bahru. This was the only way to get a ticket if the time slot you wanted was sold out. The person behind the whatsapp account must be running a bot to constantly ping the train’s website.

I decided to try and figure out how the scalper did it.

I logged the network requests by going through the process of booking a ticket on the train’s website. The train’s website uses Recaptcha and this should be too costly for the scalper to run their requests through captcha farms. There must be another unprotected endpoint.

I checked the app store and found that the train ticketing system also had an app. I downloaded it and started a proxy to intercept the app’s requests.

To my happy surprise the app developers did not implement any certificate pinning so the requests could be easily intercepted. There is no captcha mechanism in place as well. The train’s account system also does not have any spam-prevention mechanisms in place, so scalpers may sign up easily without fear for any bans linked to their identity e.g passport. Jackpot.

As far as I know, the requestSignature is the same regardless of your payload and user account.

The endpoint /v1/shuttle/Trip returns the available seats on each section of the journey. To be as fast as the scalpers, you must preload your account with credits and have your details on hand so that the checkout process is smooth.

There are a few more requests but I won’t go into the details of them as this is not a guide. It is certainly possible to automate the entire ticketing process. Sharks smell blood and so do scalpers.

– 2023-09-19