Tuesday, April 28, 2009

Hacking Time's Most Influential People poll

(Creative Commons licensed image courtesy MarilynJane)

Paul Lamere wrote a great post titled "Inside the precision hack" on his MusicMachinery blog outlining the 4chan hack of Time's influence poll. His interview with Zombocom, a 4chan /b/ denizen. The article is worth reading, as it outlines many of the common errors made in online polling applications. In the end, the most influential person is moot...

We see:
  • An easily modified and adapted submission URL
  • A total lack of authentication and validation
  • A lack of parameter control
  • A poorly protected salt once validation and authentication were included
  • A poor IP restriction protocol (each candidate could only be voted on once every 13 seconds...but there were many candidates, and it supported negative votes).
  • A possible work around from systems using an IPv6 stack
  • No banning mechanism
All of these added up into a great opportunity for a dedicated group of people to manipulate the poll. Take a look - Lamere's writeup is great.

No comments: