{"guid":"28fc102e-a38e-51b2-a48b-530b0d0e49a9","title":"Race conditions, transactions and free parking","subtitle":null,"slug":"39c3-race-conditions-transactions-and-free-parking","link":"https://events.ccc.de/congress/2025/hub/event/detail/race-conditions-transactions-and-free-parking","description":"ORM's and/or developers don't understand databases, transactions, or concurrency.\n\nAfter the [Air France-KLM dataleak](https://media.ccc.de/v/37c3-lightningtalks-58027-air-france-klm-6-char-short-code) I kept repeating this was not a real hack, and confessed I always wanted to hack a system based on triggering race conditions because the lack of proper transactions.\nThis was way easier than expected. In this talk I will show how just adding `$ seq 0 9 | xargs -I@ -P10 ..` can break some systems, and how to write safe database transactions that prevent abuse.\n\nIn this talk I will explain what race conditions are. Many examples of how and why code will fail. How to properly create a database transaction. The result of abusing this in real life (e.g. free parking).\n\nLicensed to the public under http://creativecommons.org/licenses/by/4.0","original_language":"eng","persons":["Benjamin W. Broersma"],"tags":["2286","2025","39c3","Security","Zero","39c3-eng","39c3-deu","39c3-pol","Day 3"],"view_count":3868,"promoted":false,"date":"2025-12-29T21:05:00.000+01:00","release_date":"2025-12-30T00:00:00.000+01:00","updated_at":"2026-04-12T22:15:06.040+02:00","length":2331,"duration":2331,"thumb_url":"https://static.media.ccc.de/media/congress/2025/2286-28fc102e-a38e-51b2-a48b-530b0d0e49a9.jpg","poster_url":"https://static.media.ccc.de/media/congress/2025/2286-28fc102e-a38e-51b2-a48b-530b0d0e49a9_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2025/2286-28fc102e-a38e-51b2-a48b-530b0d0e49a9.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2025/2286-28fc102e-a38e-51b2-a48b-530b0d0e49a9.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/39c3-race-conditions-transactions-and-free-parking","url":"https://api.media.ccc.de/public/events/28fc102e-a38e-51b2-a48b-530b0d0e49a9","conference_title":"39C3: Power Cycles","conference_url":"https://api.media.ccc.de/public/conferences/39c3","related":[],"recordings":[{"size":280,"length":2331,"mime_type":"video/webm;codecs=av01","language":"eng-deu-pol","filename":"39c3-2286-eng-deu-pol-Race_conditions_transactions_and_free_parking_av1-hd.webm","state":"new","folder":"av1-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-30T16:38:28.962+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/av1-hd/39c3-2286-eng-deu-pol-Race_conditions_transactions_and_free_parking_av1-hd.webm","url":"https://api.media.ccc.de/public/recordings/95768","event_url":"https://api.media.ccc.de/public/events/28fc102e-a38e-51b2-a48b-530b0d0e49a9","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":347,"length":2331,"mime_type":"video/webm","language":"eng-deu-pol","filename":"39c3-2286-eng-deu-pol-Race_conditions_transactions_and_free_parking_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-30T16:48:28.494+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/webm-hd/39c3-2286-eng-deu-pol-Race_conditions_transactions_and_free_parking_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/95788","event_url":"https://api.media.ccc.de/public/events/28fc102e-a38e-51b2-a48b-530b0d0e49a9","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":163,"length":2331,"mime_type":"video/webm","language":"eng-deu-pol","filename":"39c3-2286-eng-deu-pol-Race_conditions_transactions_and_free_parking_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-12-30T16:39:32.676+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/webm-sd/39c3-2286-eng-deu-pol-Race_conditions_transactions_and_free_parking_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/95775","event_url":"https://api.media.ccc.de/public/events/28fc102e-a38e-51b2-a48b-530b0d0e49a9","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":165,"length":2331,"mime_type":"video/mp4","language":"eng-deu-pol","filename":"39c3-2286-eng-deu-pol-Race_conditions_transactions_and_free_parking_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2025-12-30T15:28:26.493+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/h264-sd/39c3-2286-eng-deu-pol-Race_conditions_transactions_and_free_parking_sd.mp4","url":"https://api.media.ccc.de/public/recordings/95692","event_url":"https://api.media.ccc.de/public/events/28fc102e-a38e-51b2-a48b-530b0d0e49a9","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":23,"length":2331,"mime_type":"audio/opus","language":"deu","filename":"39c3-2286-deu-Race_conditions_transactions_and_free_parking_opus-2.opus","state":"new","folder":"opus-translation","high_quality":false,"width":0,"height":0,"updated_at":"2025-12-30T15:26:57.164+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/opus-translation/39c3-2286-deu-Race_conditions_transactions_and_free_parking_opus-2.opus","url":"https://api.media.ccc.de/public/recordings/95683","event_url":"https://api.media.ccc.de/public/events/28fc102e-a38e-51b2-a48b-530b0d0e49a9","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":22,"length":2331,"mime_type":"audio/opus","language":"eng","filename":"39c3-2286-eng-Race_conditions_transactions_and_free_parking_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2025-12-30T15:26:53.184+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/opus/39c3-2286-eng-Race_conditions_transactions_and_free_parking_opus.opus","url":"https://api.media.ccc.de/public/recordings/95682","event_url":"https://api.media.ccc.de/public/events/28fc102e-a38e-51b2-a48b-530b0d0e49a9","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":35,"length":2331,"mime_type":"audio/mpeg","language":"deu","filename":"39c3-2286-deu-Race_conditions_transactions_and_free_parking_mp3-2.mp3","state":"new","folder":"mp3-translated","high_quality":false,"width":0,"height":0,"updated_at":"2025-12-30T15:26:49.014+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/mp3-translated/39c3-2286-deu-Race_conditions_transactions_and_free_parking_mp3-2.mp3","url":"https://api.media.ccc.de/public/recordings/95681","event_url":"https://api.media.ccc.de/public/events/28fc102e-a38e-51b2-a48b-530b0d0e49a9","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":35,"length":2331,"mime_type":"audio/mpeg","language":"eng","filename":"39c3-2286-eng-Race_conditions_transactions_and_free_parking_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2025-12-30T15:26:44.863+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/mp3/39c3-2286-eng-Race_conditions_transactions_and_free_parking_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/95680","event_url":"https://api.media.ccc.de/public/events/28fc102e-a38e-51b2-a48b-530b0d0e49a9","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":545,"length":2331,"mime_type":"video/mp4","language":"eng-deu-pol","filename":"39c3-2286-eng-deu-pol-Race_conditions_transactions_and_free_parking_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-30T15:10:00.820+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/h264-hd/39c3-2286-eng-deu-pol-Race_conditions_transactions_and_free_parking_hd.mp4","url":"https://api.media.ccc.de/public/recordings/95656","event_url":"https://api.media.ccc.de/public/events/28fc102e-a38e-51b2-a48b-530b0d0e49a9","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":405,"length":2331,"mime_type":"video/mp4","language":"pol","filename":"39c3-2286-pol-Race_conditions_transactions_and_free_parking.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-30T15:09:48.663+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/h264-hd/39c3-2286-pol-Race_conditions_transactions_and_free_parking.mp4","url":"https://api.media.ccc.de/public/recordings/95655","event_url":"https://api.media.ccc.de/public/events/28fc102e-a38e-51b2-a48b-530b0d0e49a9","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":405,"length":2331,"mime_type":"video/mp4","language":"deu","filename":"39c3-2286-deu-Race_conditions_transactions_and_free_parking.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-30T15:09:38.350+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/h264-hd/39c3-2286-deu-Race_conditions_transactions_and_free_parking.mp4","url":"https://api.media.ccc.de/public/recordings/95654","event_url":"https://api.media.ccc.de/public/events/28fc102e-a38e-51b2-a48b-530b0d0e49a9","conference_url":"https://api.media.ccc.de/public/conferences/39c3"},{"size":405,"length":2331,"mime_type":"video/mp4","language":"eng","filename":"39c3-2286-eng-Race_conditions_transactions_and_free_parking.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2025-12-30T15:09:27.922+01:00","recording_url":"https://cdn.media.ccc.de/congress/2025/h264-hd/39c3-2286-eng-Race_conditions_transactions_and_free_parking.mp4","url":"https://api.media.ccc.de/public/recordings/95653","event_url":"https://api.media.ccc.de/public/events/28fc102e-a38e-51b2-a48b-530b0d0e49a9","conference_url":"https://api.media.ccc.de/public/conferences/39c3"}]}