Web Voting Systems – Dumb and Dumber
Recently, I was watching an episode of the Colbert Report where Colbert referenced a Time magazine online poll for who is the most influential person. Intriguingly, Steven Colbert currently placed second, behind Rain, a South Korean pop star, and with about half the number of votes. This seemed rigged – so I decided to investigate how secure this particular polling application was.
The first step was to go to the webpage and determine how the voting widget worked. I voted for Colbert and noticed that the voting widget was a flash widget. To determine how the vote was registered, I installed a network monitoring utility called Wireshark to monitor my outgoing HTTP traffic. I ran this and then voted for Colbert from several different browsers, clearing their cookies (in case some cookie-specific message was sent), and changing the vote amount.
I determined that the voting was done with a HTTP request to a url with 3 main parameters: the id for the person you’re voting for, your vote amount, and a special key that depended only on the vote amount. The web service which responded to this voting url kindly sent a message back informing you that you messed something up if you got it wrong. Based on the information I gathered, I wrote a simple script to randomly pick a rating of 80-100, and use random wait times between requests so not to get caught in some pattern-detecting or rate-limiting filter. I was, however, keenly aware of an obvious flaw – I was unable to modify my source IP address (though this is possible in linux). All said and told, I was able to get about 50-100 votes submitted per IP address before my IP was blocked.
Assuming I could vary my IP address, there’s no way that their web service could have detected that my votes weren’t coming from different users’ computers. This is a common problem: a determined “hacker” (you can barely call it hacking, because it’s so easy) can easily swing any voting application on the web which doesn’t do something clever, such as:
- Require a secure login coupled with some kind of identity validation (such as validating a phone number through an SMS)
- Generate a unique id when sending a page out to a user. This user can’t forge their source ip address, because they have to receive the page to send the id back. Then, check the ids sent with votes and eliminate duplicates. This can still be overcome if the hacker has access to a large number of proxy computers, such as a bot-net.
Perhaps the online political polls that had Ron Paul in the lead in early Republican primaries despite his trailing position in ordinary polls might not just have been due to his significant online support. Rather, they may have been caused by a small number of overly determined individuals seeking to have more than their fair share of the vote.
Importantly, this also has repercussions on the way that metrics (such as in Google Analytics) are collected on the web. It’s likely that protecting the critical business intelligence that a web metrics system can provide from outlying behavior planted by hackers will likely become an increasing problem over time. This is particularly malicious, because unlike the harmless web polls, web companies rely on metrics systems on a daily basis to manage the way the acquire traffic, the way they improve their products, etc. The disruption or a random or directed modification of the metrics produced by these systems would have a significant impact on the underlying businesses.
Leave a Reply