How are the Mailbox betacoin/tokens done?

over 7 years ago from

I'm in the process of releasing a web-based football game, and I've been impressed with Mailbox's betacoin/token concept to unlock their software. Would love to implement something similar on my platform for redeem codes and such, but as I'm not a programmer I'm not fully understanding how it can be done.

Tried googling, but no result (or I just don't know what to google for).

Any ideas?

Here's the concept in a GIF on Dribbble: https://dribbble.com/shots/1690958-Betacoin?list=users&offset=0


  • Andreas Ubbe Dall, over 7 years ago

    Explained here:


    6 points
  • Thibault MaekelberghThibault Maekelbergh, over 7 years ago

    I think it's just the hash of the file they compare to the server to see if it has already been used.

    6 points
    • Darth Bane, over 7 years ago


      1. Create the file, whatever you want
      2. Add the file's hash (MD5?) in the database
      3. If user uploads this file, check against database entries to validate

      ...like that?

      1 point
      • Thibault MaekelberghThibault Maekelbergh, over 7 years ago

        Yeah basically like that. Just calculate a hash which is I think would indeed be MD5, something like 3e4a65b85fc97335b66909043accb859.

        If the database got that listed as unredeemed they activate the beta account.

        3 points
    • Cihad TurhanCihad Turhan, over 7 years ago (edited over 7 years ago )

      Yep, most probably how they do.

      If your upload the gif file to a image hosting website which makes image optimization it will make the coin unusable.

      0 points
  • Nick WaelkensNick Waelkens, over 7 years ago (edited over 7 years ago )

    I'm not sure how it's done 100% as I don't have a coin myself (yet), but this is how I would probably do it.

    You can store whatever extra data you want in any file without the file becoming useless. For example, you could encode an entire movie into a single PNG and you would still see the static image (or nothing at all). E.g. this is how "flickr-store" works.

    Either way, I'd add a secret token in an obvious place somewhere in the image file while creating your "coin" (it would only be visibile if you'd open one in a text editor) and search for that token programmatically when dragging it in by decoding it back to text. Then you can query your database to check if the token exists and if it's not in use yet.

    Edit: or the hash. Derp.

    5 points
    • Artem TitoulenkoArtem Titoulenko, over 7 years ago (edited over 7 years ago )

      You're sort of on the right path, but image formats have well-defined specifications and just about all of them contain extensions for adding comments. GIF, JPEG, and PNG all do and that's where Mailbox decided to drop their access codes. You don't need any crazy decoding or special techniques, just find the comment section and read it.

      Good find with flickr-store! I didn't know that was a thing. Reminds me of pin-db, using Pinterest as the datastore.

      0 points
      • Nick WaelkensNick Waelkens, over 7 years ago

        Aha, comments eh? Didn't know about that, in that case it's definitely really easy, but great way to bypass the boring token system to say the least!

        0 points
  • Artem TitoulenkoArtem Titoulenko, over 7 years ago (edited over 7 years ago )

    This is pretty easy. The GIF specification allows for a "Comment Extension" which is denoted with 0x21 0xFE followed by a series of length-of-data-block, data-block sections until an 0x00. Popping open my (already used) coin we can see:

    Coin Hex

    So there's a key they generate, their app picks it out, verifies the code with the server, and then unlocks the app.

    Looking at it again, that key appears about 122 times in the file. Literally every place a comment section can be, it's there. Wild.

    2 points
  • Mario Uher, over 7 years ago

    Check it out here: http://www.velvetca che.org/2014/08/20/custom-mailbox-betacoins

    0 points
  • Cihad TurhanCihad Turhan, over 7 years ago

    Or, maybe they do embed some text into the image.

    See steganography

    0 points
  • Beau HankinsBeau Hankins, over 7 years ago

    The file name has a unique 7 digit number/key in it. The app reads the file name and associates the key with Mailbox's backend service to authenticate the app for that user.

    0 points
    • Thibault MaekelberghThibault Maekelbergh, over 7 years ago

      Hmm I think this would be less likely than a hash. The digits in the name of the gif are just ascending digits for file naming, also if this would be true you could just use your own number and try to add +1 until you get another invite, whereas a hash would be unique.

      Could be wrong though, maybe we're all just thinking too much about this. It's a cool method and illustration anyway!

      2 points
    • Jeff EscalanteJeff Escalante, over 7 years ago

      I can confirm that it's not only the filename that's checked after some testing.

      0 points