ShopDisney's Problems in a Lockdown world

Aug 11, 2020

Note: the issues outlined below are resolved, this was originally posted 2020-06-09 on another site.

ShopDisney is suffering from a bot problem. With the parks and stores shut, Disney now sell limited edition items through the ShopDisney website, in the past, the stock has been equally split between the stores and online to avoid a single location being the only marketplace for the items. Since lockdown has begun, the technical collectors have worked out the best way to game the ShopDisney website to access limited edition items before everyone else.

Today, I aim to make this information a little more public to allow Disney to consider fixing it.

So we have the following facts of how ShopDisney works:

Each item has a Product Code. This product code is used everywhere on the ShopDisney website: pages, image references, XHR calls, and so on.
Visiting shopdisney.co.uk/<product id> redirects you to the correct page for the product, even when not actively for sale.
The CDN for the ShopDisney website is hosted by Adobe Scene7.
Scene7 has no rate limiting or banning of frequent requests.
Images are available on the CDN even when the product is unavailable to purchase.

Interested parties could for example:

Take a Product ID of the same type of item you’re interested in, say a pair of limited edition Ears.
Iterate the ID and hit the CDN until you get a 2xx response.
Hit https://shopdisney.co.uk/<id> and get redirected to the correct URL for the product.
Log the URL and image.

After a few hours, it is possible to discover a slew of items that will be available shortly on ShopDisney. Others have reported that the XHR-based shopping basket system trusts the client when adding items to the basket. You won’t be able to checkout the basket items, but with popular items, the few seconds you’ll save by having the items in your basket already will give you a significant advantage.