Sign in Subscribe

Hacking Displate (For Fun!)

Dan Lew

5 min read

During the pandemic my weird vice/obsession became Displates (metal wall art hung up by magnets):

Two rows of floating wall shelves; each has five Displates on it, with a variety of LEGOs & other small statues/toys
Some of my Displates (along with other tchotchkes in my office)

For me, part of the hobby was poking holes in their website. I’ve long stopped trying to give their devs heartburn, so I figured I’d document some of my hacking highlights.

Limited Edition Displates

Some context is required: there are normal Displates that are just flat prints on metal (made on demand), and then there are limited edition Displates that add textures & other features (printed in a limited quantity). I’ll call them “LEs” from here on out, and they tended to be the focus of the most obsessed.

Anything that’s limited creates a resale market. When I saw old LEs for selling 10x over MSRP, I started tracking market prices for fun. Through a combination of scraping Displate and eBay data, I’ve kept track of price fluctuations for a while.

Tracking fair market value for infrequently sold items is a fascinating problem. What happens when the value of an LE suddenly shoots up in price? A simple average doesn’t suffice, so I implemented a weighted average to account for timing. What if more than one LE is sold at once in a bundle? Again, some specific calculations for that use case. Some questions were philosophical: what happens when a low-information seller puts an LE on the market for way under what people normally pay - does it count? (My answer: yes, because I don’t want to be the arbiter of “true market value”).

Anyways, without further ado: the hacks!

“Early” Early Access

If you are a Displate Club member, you get an email each week giving you early access to the latest LE. At some point I wondered: is the early access link active before they send out the email?

Every LE has a unique ID, so I wrote a program to use their API, checking every single ID, to find the LE link early. What I discovered shocked me: LEs are always “previewed” a week early, and that’s when the link is live!

I first tested the waters by ordering an LE five minutes before it went live, curious if they’d cancel my order or not. They didn’t! And because I’d ordered first, I got the (vaguely) coveted #1 edition of the Displate. Now I had a surefire way to get all the #1s I wanted!

I soon discovered, though, that I was not the only one who had figured this out. At least one other person was also using the same trick to order #1s early (which I knew because I’d written a browser extension to show inventory). We would race against each other some weeks to find the link early; I never found out who I was racing against.

It all came crashing down when a third person figured it out and shared it publicly. Displate updated their website to only allow sales when they intended. Ultimately, I only collected four #1s this way (I don’t actually buy THAT many LEs).

Exposing Custom Images

While working with the API to find LE links early, I noticed something interesting - sometimes, an API call would fail for mysterious reasons, for specific IDs.

I discovered that there were three kinds of IDs: normal, limited edition, and custom Displates. With customs, you can print anything using your own uploaded images. By using my scraper, I could find the IDs of customs that users had uploaded.

This led me to a thought: can I access the uploaded customs from other people?

There’s no explicit API around getting custom data, but through experimentation I discovered that I could add other users’ custom uploads to my own shopping cart. Then, I could examine my cart to get information about the custom, including the image used and the name of the uploader. Oops!

I wrote a scraper that went through and downloaded hundreds of users’ custom images. It was approximately ⅔rds horny anime stuff, ⅓ family photos, and nothing else. After getting my proof-of-concept up and running, I messaged Displate and told them about the privacy vulnerability. They fixed it soon thereafter.

The Vault Heist

Part of the deal with LEs is that, after 30 days, they stop selling the LE (even if there’s some stock left).

In interviews, Displate said that they put old LEs in a vault, never to be released. But I knew that wasn’t true: sometimes, people would ask for replacements for old, damaged LEs from Displate, and Displate would ship them out.

How does fulfillment work for those old, out-of-sale LEs? Probably some worker in their warehouse gets an order to fulfill, packages it up, and ships it out. I theorized that the ordering of an LE is separate from the shipping request - thus, if I could somehow order an old LE, the warehouse might still send me one.

I quickly figured out that it was possible to add old LEs to your cart (their API didn’t stop you). However, when you tried to start checking out, it wouldn’t work - it would block you from going to the checkout page if you had old LEs in your cart.

Eventually, I had a breakthrough: what if you started the checkout experience with a valid cart (e.g. a currently for-sale LE), then changed your cart before the finalizing payment? Nervously, I tried this out… and it worked!

At this point, I made two key mistakes: first, I tried to buy an old LE that was truly out of stock (whoops). The other was that I was so excited, I told someone else. Apparently loose lips sink ships, and within a couple hours Displate was deluged with orders for old LEs and they put the kibosh on the whole thing.

However! Before all those mistakes came back to bite me, I put in one other order for an old LE I’d always wanted. It was actually still in stock, and sure enough, they shipped it to me! My greatest victory.

The Race for #1

Once the early links were no longer a source for #1s, I pioneered a few other methods for ordering faster than anyone else.

The first method was essentially to use my “vault heist” method to pre-rig the checkout page, then quickly swap the cart before checking out. This skipped a couple page loads, catapulting me to first.

The second method was using vouchers. It was generally known that you want a fast payment method to get #1. The fastest possible method is to use a coupon (from Displate Club) which means you don’t have to pay for the LE at all, skipping all payment processors.

In both cases, I was more interested in figuring out the method than actually collecting #1s, so I shared my knowledge with the community once I proved it out.

Lessons

What could Displate have done to put a stop to my shenanigans? Let’s count the ways:

  • Don’t use sequential IDs. If each Displate were, say, a UUID, I would never have been able to find the links early.
  • Avoid security through obscurity. If you truly don’t want anyone to order a Displate early, don’t let them! Don’t simply trust that they can’t find the link.
  • Add API rate limiting. Some of the hacks above required scanning much of the Displate inventory. Rate limiting (which they did eventually add) would’ve stopped me in my tracks (no normal user would’ve been looking at thousands of Displates every second).
  • Disallow cart modification mid-checkout. Frankly, kind of astounded this was ever allowed. I was not interested in cheating Displate out of money so I always swapped with an equivalently-priced item, but I always wondered: what would happen if I ordered an expensive item using the initial cart of a cheap item? Nightmare scenario!
  • Make customs user-private. It probably never occurred to them that there was an issue here, but it does seem weird (in hindsight) that any uploaded custom just became a standard Displate you could order later.

Sign up for more like this.

Enter your email
Subscribe