Inside the Precision Hack is a great read. It's all about how the Time Magazine World's Most Influential People poll was gamed. But the actual hack itself is somewhat less impressive when you start digging into the details.
This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2009/04/how-not-to-conduct-an-online-poll.html
It’s easy to laugh at Time for their implementation of a poll. At least it’s not happening to ME, you’re thinking. But if you’re like me, you’re left with a nagging afterthought: how would I have done it differently?
Let’s turn this into a learning experience.
I’m sure the poll votes weren’t even recorded. They like to make you think your vote does something, but Time new it was going to be barack… How you ask? Because the boss said so. Kinda like the real election.
Let me just say this, MANY sites run polls like this. From serious competitions where there is something of value as a reward to the mundane polls. And MOST of them are implemented VERY poorly.
This is hacking 095 folks. Snoop around craigslist and you will find people willing to pay someone to hack a poll (every now and then).
This seems like the preaching to the choir you don’t like in your anti-DailyWTF post. The Time site programmers probably don’t read this blog
This story definitely should go on dailywtf and failblog.org
as funny as this is, sadly this is happening everywhere.
someone should try sql injection attack on these polls and i wont be surprised if the hacker wiped out the poll database…or worse
…, but it’s difficult to understand why a high profile website would conduct an anonymous worldwide poll without even the most basic of safeguards in place. This isn’t high security; this is web 101.
I would even go as far as calling it input validation, not security. I consider this to be such a basic check that I’d consider calling this low security an insult to every person who’s ever had to deal with a buffer overflow and other forms of code injection.
It’s interesting also that they give you a range of 0–100.
Is anyone really going to sit there and think, Hmm, I think Barack Obama’s a 73 … or is he more like a 72?
I wager that the legit votes are heavily skewed to the extremes, with a hump at 50. Really, they should have just given three options: Not, Somewhat, Very.
The better question that no one has asked yet is why is a news organization even running and reporting the results of a poll that by its nature is based on self selected sample and therefore scientifically invalid – even if the code weren’t written by idiots.
Excellent post as a case study, but this text is offensive. More respect is appreciated
It’s funny how we give plenty of credit to those who break web apps, while calling those who make them clowns and idiots. Making is much harder than breaking, at least when it comes to webapps with no authentication.
We shouldn’t be encouraging these hackers… Hacking anonymous online polls is easy and thus lame.
Securing them against a determined attacker is much harder, especially if you don’t want to impact the usability for legitimate users.
Any script kiddy could have done that, and yes Time are retards if it did not occur to them to implement something like that with more than about 30 seconds worth of effort, but the real story would have been if someone had managed to add a candidate. Father Christmas? God? Ronald McDonald?
omnibus locis fit caedes
I’m sorry but as funny as this story and ones like it are. Hackers are NOT the most influential people.
In this circumstance, Hackers are relatively the most influential people.
If you can repeatedly remove the influence of others and disproportionately increase your own influence, then, in circumstances where this is possible, you can be said to be most influential.
I don’t think that the webdevelopers are dumb - I think they have to work for people who know next to nothing about the net and on top of this have to make financial ends meet. Something like Put this poll online ASAP. Here is you budget of $500. followed by What is your problem? How hard can it be? Everybody has poll on his blog so this doesn’t look like rocket science to me. Get the heck on it before I fire you.
What clowns! They should have used a strong captcha proof, like orange.
Agree with TonyS. Criticism on a blog post? Of course. But this is a bit much.
I’d say the major failing here is attempting to do this in-house when they clearly didn’t have the necessary expertise. They should have instead found an established partner whose main business is to provide these kinds of polls. A company with a proven track record. Budget problems? Give the company some visibility and they’d probably love to take on such a high profile poll.
Man, you must be scared of being dumb. It would mean the end of the world to you, right?
You won’t hear about the precision hacks, not in the news, and not on blogs and such.
The now retired admin for a post-secondary institution got his job cause he pwnd the network - and I mean everything.
It took 3 guys at his same pay grade to replace him, and they still couldn’t figure out what his scripts does.