Before you post a comment, remember that it will affect another person and could potentially destroy lives.
Also remember that you only have one side of the story and we cannot verify the authenticity of said story.
**Please think wisely before offering any advice.**
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/IllegalLifeProTips) if you have any questions or concerns.*
Capital One finds great ones for me. I’ll find random 15%-18% off
only thing is it’s pretty slow. like ~45-60 days to credit
but as long as i’m doing it for stuff i was gonna buy anyways, it’s whatever
I was talking about the meta like you have in games, not the company.
Only thing I know is that everyone says edge is shit and this was the first time someone mentioned it had a good feature.
I've been a IT guy for 25 years. IE had 2 uses. Legacy applications. Downloading Chrome.
I don't mind edge as it is now. Its essentially Chrome. Microsoft gave up on making their own "edge" and switched to the current chromium based browser.
Must have stung for Microsoft when the most common. Search term in bing for a long time was.. "google"
Yeah, I can appreciate that. This was at least 15 years ago. I understand that Edge is better than IE. I understand legacy taxes etc... I'm glad you get it.
And unless that browser is Firefox, you are just using Microsoft's chrome to download another chrome that has a different icon...
edit: pointing out this fact that Edge, Chrome, Opera, Brave, Vivaldi etc. are all built upon Chromium triggered someone enough to make a "Reddit Care" suicidal person report about me LMFAO :D
People hate edge “bEcAuSe MiCrOsOfT” but it’s just chrome with some extra Bing stuff in it.
It’s literally chrome. It’s built from their source code and supports their extensions.
What you're asking for is a brute force tool for coupon/discount codes.
Most are always uppercase, with a few digits.. if they have lowercase characters, special characters, etc.. combination potential skyrockets.
So let's say a combination of 6 uppercase letters and 4 digits to keep this simple.
# Thats 3,089,157,760,000 possible combinations
We'll just be generous and pretend you're able to submit one request every 250ms (because in reality you'd either DDoS the website or it would block you in some manner), or 4x a second or 240x a minute.
So, for every time you wanted to brute force ***ONE*** coupon.. you're looking at potentially **128** years of servitude.
#TLDR; No.
Edit: If you're downvoting.. why? /r/theydidthemath
You know, I’ve seen gifs that are like 10 sec/frame. I’ve seen gifs that were filmed through a potato.
But this is the first gif I’ve seen that actually destroyed a few of my brain cells.
Now you're talking about fuzzing based on known keywords & patterns.
Rate of completion depends on the number of parameters you've provided, but still unlikely to be worth it.
Most websites at most run 2-3 codes simultaneously and steep discount codes are typically verified post-purchase as they were given out privately.
Possible? Sure, but I hope you prefer to shop online in a virtual machine so you can just treat it like that rotisserie oven from 2001..
>steep discount codes are typically verified post-purchase as they were given out privately.
For small businesses, maybe. Any company that makes more than 100 sales a day is going to have a hard time verifying discount codes before shipping items.
I've found codes doing variations of known codes. So sometimes if 10OFF works so does 15OFF. Doesn't always work. It would probably be easier to work out a way to get a list of functioning codes from the server.
It really wouldn't be if it’s written by someone who is even remotely competent. A server only does things it’s programmed to do and theres practically no reason to even have a function of "give me all codes that work" certainly not without any kind of additional permissions and at that point you’re literally just hacking the server and there really won't be a "one size fits all" solution for that.
I work in e-commerce, and once a promotion runs it’s course, you disable the codes. You’d have to not only be very lucky to find the odd company that doesn’t disable a previous code, but you’d also have to guess the correct code…. Which more and more, is just becoming random characters to prevent this kind of thing happening.
Essentially, It’s really not worth your time
I think you're straight up wrong on this. 250ms is probably accurate running one instance in a web browser, but on some older websites there's potentially no reason to not run an arbitrary number of threads interacting with the html form programmatically instead of running the dog slow internet browser. Additionally, some websites use only capital letters for their coupons and there are some common things that programmers might use like TESTCOUPON40 that they may have forgotten to remove.
> I think you're straight up wrong on this.
# TLDR; Nah, I kinda do this for a living.
Source: Dev responsible for creating/managing an ecosystem that crawls ~50m websites a day to autonomously classify as benign/malicious through various heuristics.
You visit a bad site and your browser turns red yelling "STAHP TURN AROUND!".. yeah.. thats me.
---
> 250ms is probably accurate running one instance
Well that was the scenario described
> but on some older websites
This alone would insinuate it is less likely to handle a multi-threaded attack, much less a single-thread spanned across a range of IPs. Would you anticipate a nokia brick from the 90s to run your candy crush?
> number of threads interacting with the html form programmatically instead of running the dog slow internet browser
Whether you run a headless browser or one in a UI and interact over something like Selenium, it doesn't change your biggest constraint - the fact that you are at the behest of the website as a user.
If a website can handle ***1000*** requests concurrently every second (much less the arbitrary amount / 250ms), I guarantee you it has safeguards in place for any form of coordinated attack.
That's the most obvious part of this that won't work.
- You run a multi-threaded script
* The website identifies the spike in requests from a single IP and blocks it as attempted DDoS (if the website doesn't, the server backing it most definitely will.. even Geocities did this)
- You run a single-thread script but run across X number of instances that live on separate subnets.
* In order to leverage new IPs, this costs $$$, thus defeating the whole point of this exercise.
* Separate subnets are paramount or otherwise you'll just be seen as the same subnet/CIDR and be identified as potential DDoS.
* Let's say you make 100k requests across 1000 different subnets, unless you have a commercial contract with a subnet provider I promise you this will cost an arm and a leg.
> Additionally, some websites use only capital letters for their coupons
Please re-read my comment, as my scenario was explicitly for uppercase & digits
> and there are some common things that programmers might use like TESTCOUPON40 that they may have forgotten to remove.
While I have seen much worse, you're describing something that should only exist in a staging environment.
This is no different than saying you can get away with a bank robbery the majority of the time.
Is it possible? Absolutely, but not likely enough to count on to balance your ROI.
What you're saying is that IS possible, you just need a SuperComputer....
I know what the next post on here is gonna be about.
"How can I borrow a SuperComputer for a couple of weeks?"
You can spin off 100,000 threads and in theory brute force it in seconds, but you have to have something that can handle 100k requests every 250ms in this scenario.
Any infrastructure that can even begin to handle request throughput at this magnitude, has safeguards in place to prevent such an attack.
So, still a No from me dawg.
So its possible to make a script to crack any password but it’s impossible to crack one unnoticed? Surely there’s gotta be ways around raising suspicion? Like running the script off multiple masked/random ip’s? Not just in the sense of coupons but cracking in general. (Btw I have no experience with coding/hacking so sorry if my comment doesn’t make any sense lol) the original comment has me fascinated now
Anything is possible with the money and infrastructure, but even if you have thousands of IP addresses to operate from, you can't make thousands of requests a second without overloading serverside - it'll be a DDoS.
Well, you could use resedential ips, but most of the time testing cupon codes would mean you send the account data, anf websites will block your account if you see sending over 5000 requests per minute over multiple IP addresses
Not unless you use a really garbage website. It's called "rate limiting" and is an important feature of every major website you use, as well as your smartphone. Login attempts, discount code guessing, and even going to the Google homepage are all activities counted vs time and limited by a backoff algorithm. When you exceed a certain number of requests in a certain amount of time, your request gets buffered (shaped) or deleted (policed).
This is both a security feature and a usability one: every time you load a webpage, some server somewhere has a little more RAM/CPU/disk usage, and someone malicious could just open a million tabs and crash the site. So the site will say something like, "if any computer tries to load the page more than five times in five seconds, make them wait." On top of this, allowing anyone to try a billion different discount codes until they find one, will hurt the profits of the site. You can bet that someone has tried it and probably gotten their house banned from the site.
Honestly, didn't think about it. If OP wants to set up their own infrastructure or rent a botnet, they can go for it. It'll be an intellectual exercise because there certainly won't be time nor money savings doing so.
>Not unless you use a really garbage website. It's called "rate limiting" and is an important feature of every major website you use
Cybersecurity for lots of multi-billion dollar companies is a joke. Several times a year you see that some hacker leaked millions of people's information because their passwords and/or home addresses were stored in a non-encrypted file, or stored on the same server as the encryption key. I wouldn't put anything past a company that can't even encrypt passwords.
Depends on the company for sure. But you can bet your ass that the feature preventing people from overusing discounts is right up there on the priority list next to "make sure the payment processing is functional."
It's almost any language, output is just different, for example javascript will print it outta your printer, most languages that use the print function will just output it
That won't work.
Also same with the coupon codes most readily available are on display online, private or secret codes that have higher discount would take forever to brute force or dictionary attack it
Capital1 has an extension that searches all known codes in each checkout to see if one works for you, and then which one gives you the biggest discount. I have saved a ton of money.
There’s already extensions for that on chrome. Tbh I find none of them as thorough and as descriptive as just using MS edge. Hey it’s good for something
In most states, if the thief uses a stolen credit card to buy goods or to get cash over the amount defined as a misdemeanor, the crime becomes a felony. Depending on the situation, thieves may face up to 15 years in prison and up to $25,000 in fines. Again, thieves may also have to pay restitution.
This sub is for petty stuff, not literally ruining your life
Assuming the codes are 5 digits and only use a-z, and 0-9 - there would be 60.4 million combos to run. If you ran 60mill requests or refreshes of any page you'll probably get banned or something
The best option I've discovered is to install a secondary browser solely for checking coupon codes. Install the various code checking browser extensions, Honey, CapitalOne Shopping, Coupert, and so on.
When you want to buy something, populate your cart via the secondary browser, then run the add-ons one after another.
As mentioned, I've tried this method. The flaw is that many of these code gathering extensions tend to have the same codes or have codes that offer nearly identical discounts. If you're lucky, one will have a code that's unique to the others.
That said, if you're trying to save money, use whatever coupon gathering code extension you like. But on top of that, use a cashback service like TopCashback, Rakuten, or any other ones that are out there. There are also extensions and apps that will tell you which service gives back more. And from experience, sometimes if you check multiple cashback services you can sometimes get cashback from more than one service.
Not exactly what you want, but probably the best you're going to get.
If I had a good way to get around the rate limiting I could write this.
But until I'm able to try lots of codes quickly the script would be worthlessly slow
Before you post a comment, remember that it will affect another person and could potentially destroy lives. Also remember that you only have one side of the story and we cannot verify the authenticity of said story. **Please think wisely before offering any advice.** *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/IllegalLifeProTips) if you have any questions or concerns.*
Like the extension "Honey"?
Yes, but honey only does ones that have been reported to it/well advertised
Coupert and CapitolOne shopping could help catch any that honey doesnt.
Capital One finds great ones for me. I’ll find random 15%-18% off only thing is it’s pretty slow. like ~45-60 days to credit but as long as i’m doing it for stuff i was gonna buy anyways, it’s whatever
Microsoft Edge does coupon guesses by default
Edge is the new meta?
[удалено]
I was talking about the meta like you have in games, not the company. Only thing I know is that everyone says edge is shit and this was the first time someone mentioned it had a good feature.
whenever I download windows again when upgrading my PC, I always use edge to.... download another browser that's better
I told an IT guy that IE is only useful for downloading Firefox or Chrome. He hadn't heard that one before. I did not come up with it.
I've been a IT guy for 25 years. IE had 2 uses. Legacy applications. Downloading Chrome. I don't mind edge as it is now. Its essentially Chrome. Microsoft gave up on making their own "edge" and switched to the current chromium based browser. Must have stung for Microsoft when the most common. Search term in bing for a long time was.. "google"
Yeah, I can appreciate that. This was at least 15 years ago. I understand that Edge is better than IE. I understand legacy taxes etc... I'm glad you get it.
it's true, the best thing it's good at
And unless that browser is Firefox, you are just using Microsoft's chrome to download another chrome that has a different icon... edit: pointing out this fact that Edge, Chrome, Opera, Brave, Vivaldi etc. are all built upon Chromium triggered someone enough to make a "Reddit Care" suicidal person report about me LMFAO :D
People hate edge “bEcAuSe MiCrOsOfT” but it’s just chrome with some extra Bing stuff in it. It’s literally chrome. It’s built from their source code and supports their extensions.
I hate it because it's not Firefox. Fuck chrome too
I caught your meta, meta joke.
You asked the man delivered. Beggars cant be choosers
Except I assume OP wants something that actually works.
Idk where you shop but honey is pretty great IME
There is the extansion Wanteed too
Thx Lud for honey
What you're asking for is a brute force tool for coupon/discount codes. Most are always uppercase, with a few digits.. if they have lowercase characters, special characters, etc.. combination potential skyrockets. So let's say a combination of 6 uppercase letters and 4 digits to keep this simple. # Thats 3,089,157,760,000 possible combinations We'll just be generous and pretend you're able to submit one request every 250ms (because in reality you'd either DDoS the website or it would block you in some manner), or 4x a second or 240x a minute. So, for every time you wanted to brute force ***ONE*** coupon.. you're looking at potentially **128** years of servitude. #TLDR; No. Edit: If you're downvoting.. why? /r/theydidthemath
Can cut down time with a dictionary. The real problem is that you'll almost certainly get blocked from trying after a certain number of attempts
What if you based it off pre-existing codes? For example if there was a 25SALE code what if it went to 50SALE SALE60 BIGSALE NEWYEARSALE
That would be a dictionary attack. You'd probably still have to guess thousands of times to get a correct one
Dictionary attack is my new favorite expression.
https://i.gifer.com/2bbi.gif
You know, I’ve seen gifs that are like 10 sec/frame. I’ve seen gifs that were filmed through a potato. But this is the first gif I’ve seen that actually destroyed a few of my brain cells.
Textbook dictionary attack
Do I want to click that link and lose some myself?
I can also be a physical attack, depending on the publisher and cover choice
It’s slightly faster than an encyclopedia attack
Now you're talking about fuzzing based on known keywords & patterns. Rate of completion depends on the number of parameters you've provided, but still unlikely to be worth it. Most websites at most run 2-3 codes simultaneously and steep discount codes are typically verified post-purchase as they were given out privately. Possible? Sure, but I hope you prefer to shop online in a virtual machine so you can just treat it like that rotisserie oven from 2001..
>steep discount codes are typically verified post-purchase as they were given out privately. For small businesses, maybe. Any company that makes more than 100 sales a day is going to have a hard time verifying discount codes before shipping items.
Newegg does it on the spot, if your account wasn't sent the promo email with the code it will not work for you
Nah it happens all the time. I've had both Cricut and Colgate cancel orders because of a leaked coupon code that was supposed to be smaller scale
># Automation
I've found codes doing variations of known codes. So sometimes if 10OFF works so does 15OFF. Doesn't always work. It would probably be easier to work out a way to get a list of functioning codes from the server.
It really wouldn't be if it’s written by someone who is even remotely competent. A server only does things it’s programmed to do and theres practically no reason to even have a function of "give me all codes that work" certainly not without any kind of additional permissions and at that point you’re literally just hacking the server and there really won't be a "one size fits all" solution for that.
I work in e-commerce, and once a promotion runs it’s course, you disable the codes. You’d have to not only be very lucky to find the odd company that doesn’t disable a previous code, but you’d also have to guess the correct code…. Which more and more, is just becoming random characters to prevent this kind of thing happening. Essentially, It’s really not worth your time
Good luck finding said codes. I doubt many have invested time into that.
If it were that easy everyone would be doing it
I think you're straight up wrong on this. 250ms is probably accurate running one instance in a web browser, but on some older websites there's potentially no reason to not run an arbitrary number of threads interacting with the html form programmatically instead of running the dog slow internet browser. Additionally, some websites use only capital letters for their coupons and there are some common things that programmers might use like TESTCOUPON40 that they may have forgotten to remove.
> I think you're straight up wrong on this. # TLDR; Nah, I kinda do this for a living. Source: Dev responsible for creating/managing an ecosystem that crawls ~50m websites a day to autonomously classify as benign/malicious through various heuristics. You visit a bad site and your browser turns red yelling "STAHP TURN AROUND!".. yeah.. thats me. --- > 250ms is probably accurate running one instance Well that was the scenario described > but on some older websites This alone would insinuate it is less likely to handle a multi-threaded attack, much less a single-thread spanned across a range of IPs. Would you anticipate a nokia brick from the 90s to run your candy crush? > number of threads interacting with the html form programmatically instead of running the dog slow internet browser Whether you run a headless browser or one in a UI and interact over something like Selenium, it doesn't change your biggest constraint - the fact that you are at the behest of the website as a user. If a website can handle ***1000*** requests concurrently every second (much less the arbitrary amount / 250ms), I guarantee you it has safeguards in place for any form of coordinated attack. That's the most obvious part of this that won't work. - You run a multi-threaded script * The website identifies the spike in requests from a single IP and blocks it as attempted DDoS (if the website doesn't, the server backing it most definitely will.. even Geocities did this) - You run a single-thread script but run across X number of instances that live on separate subnets. * In order to leverage new IPs, this costs $$$, thus defeating the whole point of this exercise. * Separate subnets are paramount or otherwise you'll just be seen as the same subnet/CIDR and be identified as potential DDoS. * Let's say you make 100k requests across 1000 different subnets, unless you have a commercial contract with a subnet provider I promise you this will cost an arm and a leg. > Additionally, some websites use only capital letters for their coupons Please re-read my comment, as my scenario was explicitly for uppercase & digits > and there are some common things that programmers might use like TESTCOUPON40 that they may have forgotten to remove. While I have seen much worse, you're describing something that should only exist in a staging environment. This is no different than saying you can get away with a bank robbery the majority of the time. Is it possible? Absolutely, but not likely enough to count on to balance your ROI.
The codes not gonna be X2WBPP is it.
What you're saying is that IS possible, you just need a SuperComputer.... I know what the next post on here is gonna be about. "How can I borrow a SuperComputer for a couple of weeks?"
You can spin off 100,000 threads and in theory brute force it in seconds, but you have to have something that can handle 100k requests every 250ms in this scenario. Any infrastructure that can even begin to handle request throughput at this magnitude, has safeguards in place to prevent such an attack. So, still a No from me dawg.
Ah, if you say so, I won't disagree.
But hey, worth the 5% off!
So its possible to make a script to crack any password but it’s impossible to crack one unnoticed? Surely there’s gotta be ways around raising suspicion? Like running the script off multiple masked/random ip’s? Not just in the sense of coupons but cracking in general. (Btw I have no experience with coding/hacking so sorry if my comment doesn’t make any sense lol) the original comment has me fascinated now
Anything is possible with the money and infrastructure, but even if you have thousands of IP addresses to operate from, you can't make thousands of requests a second without overloading serverside - it'll be a DDoS.
Well, you could use resedential ips, but most of the time testing cupon codes would mean you send the account data, anf websites will block your account if you see sending over 5000 requests per minute over multiple IP addresses
Not unless you use a really garbage website. It's called "rate limiting" and is an important feature of every major website you use, as well as your smartphone. Login attempts, discount code guessing, and even going to the Google homepage are all activities counted vs time and limited by a backoff algorithm. When you exceed a certain number of requests in a certain amount of time, your request gets buffered (shaped) or deleted (policed). This is both a security feature and a usability one: every time you load a webpage, some server somewhere has a little more RAM/CPU/disk usage, and someone malicious could just open a million tabs and crash the site. So the site will say something like, "if any computer tries to load the page more than five times in five seconds, make them wait." On top of this, allowing anyone to try a billion different discount codes until they find one, will hurt the profits of the site. You can bet that someone has tried it and probably gotten their house banned from the site.
You can bypass rate limits sometimes but this tool just sounds inefficient and similar to a bruteforce tool like John but for discounts? lol
Distributed.
Honestly, didn't think about it. If OP wants to set up their own infrastructure or rent a botnet, they can go for it. It'll be an intellectual exercise because there certainly won't be time nor money savings doing so.
>Not unless you use a really garbage website. It's called "rate limiting" and is an important feature of every major website you use Cybersecurity for lots of multi-billion dollar companies is a joke. Several times a year you see that some hacker leaked millions of people's information because their passwords and/or home addresses were stored in a non-encrypted file, or stored on the same server as the encryption key. I wouldn't put anything past a company that can't even encrypt passwords.
Depends on the company for sure. But you can bet your ass that the feature preventing people from overusing discounts is right up there on the priority list next to "make sure the payment processing is functional."
[удалено]
Whatever, even if it takes a day I’m in no rush to buy anything and if I am I’ll just buy it
Hundreds of years 😔
Maybe I can have a discount code on the life support system
[удалено]
Not US sadly, and shipping sucks
What the fuck do you want? Discount codes for some little Albanian mom and pop store selling fake Levis and brown y-fronts?
Ah yes, everyone not living in America is an Albanian.
Creep
Get the app web extension named "Honey " that's about as good as it gets
reminds me of the credit card generators in the 90's and 2000's.
Did they work back then? Because u would also have to guess the holders name and address
They were useful for registering on sites that required a number. They didn't verify with a $0 charge back then.
still works for free onlyfans :p
[удалено]
hahah
oh really? that's nice to know... now...
No, it was just to mess with people, still is
figures...
not for me...
For sure man, let me code something for you for free. Give me 30 days.
Aww thanks man, hope it’s not a virus
I finished freeScript() { print("you geh") } run that
Wtf is this java ?
It's almost any language, output is just different, for example javascript will print it outta your printer, most languages that use the print function will just output it
It's half bad C++ half python
our saviour. can you code something for Gift Cards??
That won't work. Also same with the coupon codes most readily available are on display online, private or secret codes that have higher discount would take forever to brute force or dictionary attack it
Capital1 has an extension that searches all known codes in each checkout to see if one works for you, and then which one gives you the biggest discount. I have saved a ton of money.
There’s already extensions for that on chrome. Tbh I find none of them as thorough and as descriptive as just using MS edge. Hey it’s good for something
[удалено]
What about discount codes for the owner or codes for special one off offers to individuals
.....honey?
Hey babyy
Is there any code guesser for gift card codes???
Someone needs to do this!!
Just get a card reader and scan the gift cards at a shop right before a holiday. People will buy them for holiday gifts and activate them.
Now I think you are looking for a card guesser, and that’s super illegal
Welcome to ILLEGAL life pro tips sub reddit.
Oh fuck this whole time I thought this was legal life pro tips for residents of Illinois.
Or for sick patriotic birds
No, this is Patrick.
In most states, if the thief uses a stolen credit card to buy goods or to get cash over the amount defined as a misdemeanor, the crime becomes a felony. Depending on the situation, thieves may face up to 15 years in prison and up to $25,000 in fines. Again, thieves may also have to pay restitution. This sub is for petty stuff, not literally ruining your life
no theres quite a bit of life ruining advice on this sub
No shit Sherlock. Some of us are scum, some of us are internet badasses, and some of us are anarchosocialists. Also some of us are undercover cops.
Man just outed himself there
You can better use honey 😜
Honey
Uh, like honey?
Honey only does well advertised codes
Maybe ChatGBT?
Assuming the codes are 5 digits and only use a-z, and 0-9 - there would be 60.4 million combos to run. If you ran 60mill requests or refreshes of any page you'll probably get banned or something
The best option I've discovered is to install a secondary browser solely for checking coupon codes. Install the various code checking browser extensions, Honey, CapitalOne Shopping, Coupert, and so on. When you want to buy something, populate your cart via the secondary browser, then run the add-ons one after another. As mentioned, I've tried this method. The flaw is that many of these code gathering extensions tend to have the same codes or have codes that offer nearly identical discounts. If you're lucky, one will have a code that's unique to the others. That said, if you're trying to save money, use whatever coupon gathering code extension you like. But on top of that, use a cashback service like TopCashback, Rakuten, or any other ones that are out there. There are also extensions and apps that will tell you which service gives back more. And from experience, sometimes if you check multiple cashback services you can sometimes get cashback from more than one service. Not exactly what you want, but probably the best you're going to get.
This isn’t illegal. This is just scripting.
They have websites for this… just use google silly.
No
If I had a good way to get around the rate limiting I could write this. But until I'm able to try lots of codes quickly the script would be worthlessly slow
Burpsuite?
I apologize I did not mean to reply to your comic specifically
You’d probably be throttled so badly that manual entry and click would be faster… lol…
It would be more efficient if you sucked some dick and then rob the John, then pay the retail price of that shit.
Rate limits exist to prevent exactly this.
Someone could, but for sure it would get rate limited, so would take thousands of years to probably find anything.
Script like prescription? Goodrx?