Where the spirit does not
work with the hand,
there is no art.

- Leonardo da Vinci

1 0 0 1 0 9


Electronic Arts really has it nailed. Somehow they've managed to con millions of us into the weekly ritual of playing solitaire games that we might not necessarily even like for completely worthless reward badges. All it costs them is the bandwith and the database hardware to track who has won what. And we actually pay them for this privilege.

Many of us have discovered the folder on the Pogo server where these badge images are stored and the naming scheme (which is obscenely obvious), so we know what the upcoming badges for following weeks are going to look like (as well as the ones we haven't won or seen other people win). I put together a little JavaScript that pulls these down and puts them in the right categories.

. badges.html

Apparently, Electronic Arts doesn't care that this is happening, because they haven't bothered to put a stop to it. They could do this very easily by checking the Referer header on image requests (though the more determined among us could forge that), or slightly less easily by changing the badge naming scheme so it's not quite so guessable.

I was originally going to make each badge link open the correct page on the Pogo server and do some logic to determine which of them the particular user clicking the link had already won, but there are several parameters in these page requests that actually change from player to player (which doesn't make a lot of programmatic sense).

In addition, the lkey parameter is necessary to establish user identity. Originally, my script had this parameter hard-coded (since I was just running it locally, this didn't really matter). If I were to prompt the user for this parameter, it still would be running on the user's local machine, since it's just JavaScript, but I don't think it's a good idea to promote the idea of users blindly giving away information from browser sessions because that's the kind of insecure behavior that makes phishing scams so successful.

However, shame on the Electronic Arts programmers for putting this in a URL parameter in the first place.

[ Next]

[identity] [home] [verbosity]


[ ]