Thursday, May 20, 2010

British Computer Society Pioneers vote is easily defrauded

Last night I was sitting looking at the BCS Pioneers page when I noticed that the voting for Hedy Lamarr was coming in thick and fast. As I refreshed the page I could that many, many votes were coming in for her. I hopped over to Twitter to see if there was an organized vote happening and there was nothing obvious.

That got me wondering just how hackable the vote is. It turns out that the BCS has done almost nothing to prevent vote fraud. The only protection is a cookie set in your browser. Turn off cookies and you can vote as often as you want. Even more interesting is that it's possible to completely automate vote fraud since the BCS doesn't even insist on a POST, doesn't appear to be rate controlling IP addresses, doesn't require the cookie to get set, isn't checking the page referrer, ... In fact, the only sensitive think is the User Agent string which needs to make it look like a real browser is being used.

For example, it would be trivial to make you vote for Alan Turing. Here's the code to do that (I modified this very slightly so that it won't actually work). I could embed that 'image' in this page and everyone reading this would be voting for Alan Turing in the background.

<img src="

In fact, that makes the vote security for this poll a total joke. Using a simple script containing the following I bumped up Alan Turing's percentage of the vote by a few tenths of percent as a test. If I'd left the script running I could have had him beating Hedy Lamarr within minutes.

wget --user-agent='Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
en-US; rv: Gecko/20100315 Firefox/3.5.9' -S`cat post` -O vote -d

So, what should the BCS have done? They could have used Flash Cookies to set a much more persistent cookie, they could have forced users to register and confirm an email address to vote, or they could have asked users to fill in a CAPTCHA to vote. As it is the current voting scheme is so open to fraud that the results are likely to be meaningless.

PS I emailed this blog post to the BCS and they replied:

Thanks very much for your email and blog post. We will be responding officially with a post on our blog shortly, but I just wanted to let you know that we have raised this issue with our site designer, and are looking at ways to change the voting system to keep it easy for people to vote and interact while preserving the vote's integrity.


MickeyC said...

They should at the very least use a captcha to prevent any sort of automated voting.

Penguat said...

Marblecake, also the game?

Rob said...

Maybe they presumed that people had too much going on in their lives to rig a poll like this. You'd hope that would be a reasonable presumption, but apparently not.

Rob said...

Perhaps they thought people would have other things going on in their lives than to disrupt a completely harmless poll for no obvious reward. You'd hope they were right, but apparently not.

AB said...

Hi there. I'm a member of the Information Pioneers team.

When we were deciding how people should interact on the Information Pioneers site, we wanted to make it as easy as possible for people to comment and vote for their favourite pioneers. We didn’t want people to have to register to leave comments or vote, so as you've said, we're using cookies to limit the number of times you can vote.

Because the goal of our campaign is to engage with the widest possible audience (the vast majority of whom should only be able to vote once because of their cookie settings), we decided to prioritise ease of interaction over the need to register or use a CAPCHA or similar system that allows voting but makes the site more difficult to interact with. However, we are monitoring the situation and if it appears that people are running scripts and adjusting results unfairly, we will introduce changes to preserve the integrity of the vote.

Our goal with this campaign remains to show the contributions of the Information Pioneers we've chosen, get people talking about them, and inspire people to challenge convention and use information in new and exciting ways.