I often like to tinker with computer security, it provides alot of cool problems to solve and when im able to figure something out im excited because beyond script kiddie SQL injection (on my own databases) and some XSS im a pretty tame "hacker" (i did find a hole in Wells Fargo) so I happen upon a online voting contest running locally in Houston and I assumed they built their own voting system and i wanted to know what precautions they took against cheating. Its a hard problem to solve, i mean "click fraud" by Google made Bing look foolish and then there are things like astorturfing with mechanical turk so its a hard problem to solve and might not be the best case for "roll your own"

So anyways these CultureMap guys wrote a post about how they caught a cheater... The funny thing is I had already asked my boss if we wanted to cheat at this... and i was going to cheat the right way. (so it all looks natural and you dont get caught) As I dug into reverse engineering their system it turns out they used a simple GET request for voting which brings up some interesting issues. First if its a simple GET request is all you need then you can make a webpage that makes people autovote by dropping the vote url into the src of an image element (then when it tries to load the image it autovotes) you also run the risk of GoogleBot crawling and voting... this was a big problem in the early days where the "delete" link in some admin dashboard somehow was publicly crawled and everything got deleted as google crawled each delete link. Same thing happened to their system... you can see in this google query all the "Thanks for voting" messages google saw and indexed. That means that google got its say in who won the contest :) and another issue with this voting thank you page is that anything you put into the url is written directly to the page.We call that an XSS or Cross Site Scripting attack... that will let me craft urls to do all kinds of fun stuff like make you link to me or steal the login cookies to your admin section. Heres just one example of what you can do injecting stuff into a page

One way you can try and cut down on cheating is to block votes from same ip but then everyone in a office only get one vote (because they all use the same ip) This is what another contest I decided to play a little dirty in did. So how did i get around the ip based block? Proxies Proxies Proxies!  after geocoding Im able to choose which proxies to use and send request in a random way so it all looks like normal traffic. You can see my blog in the site entries list i was down by hundreds and caught up in just a few hours... probably raised some flags for the people running the contest :)

So what are the takeaways?

If your running the contest

1. Use a form POST to make the vote it will be harder to trigger and google wont be voting in your contest
2. Geocode requests to make sure they are from the right region, this will help you detect somebody using proxies all in china
3. Have some type of ip based reporting so you can try and catch big blatant offenders

If your "hacking" (or cheating) at a contest

1. Sniff the http traffic so you can know how to spoof the request identically to the original
2. Geocode the proxies you use and make sure they are coming from a county thats allowed to participate
3. If they use a GET request to vote laugh about it and post the auto-vote url everywhere (posting to twitter will get about 20 random crawler to hit the link an vote as soon as the tweet is made)