As most of you are aware, we are "competing" in the semi-finals at InsideRIA for a discussion at Adobe Max. When I say compete, you might conjure up images of banner ads on web sites, Twitter posts and Facebook messages. Nearly all of the contestants have done things like that (just look at their respective web sites) and it seems fair. In fact, part of the purpose of the competition is to drum up interest in InsideRIA and the above tactics are well within the spirit of that goal.
However, we noticed some irregularities within the process. Certain sites, some of which were hundreds of votes behind, jumped 500 votes overnight and then stagnated for a while, only to surge again when the sites would again lag behind.
Armed with the realization that something didn't smell right, we decided to investigate to see if the system could be gamed.
We came across the X-Forwarded-For HTTP header which is primarily used with proxied requests to indicate the true IP address of the client. Or, as we discovered, it can be used to trick the poll into thinking that the request was coming from any IP address specified in this header. All a scripter would have to do is send a POST to http://www.oreillynet.com/pub/pq/237 (the poll results page) with a body of qid=237&aid=[poll choice value here] (in our case it was 1289) and add the header "X-Forwarded-For: [Random IP address here]". Send the post 500 times with 500 random IP addresses and voila! you have 500 votes for your company!
We are not going to use this exploit ourselves (and would have only shared this with InsideRIA had we not noticed it already being used by others). We do wish to point out that participating in a competition that has an obvious exploit that can be used by competitors makes us rather uncomfortable. I hope InsideRIA will fix this exploit and start the competition (which ends this coming Sunday night) over from scratch.
Next Post: Aviary release Myna Audio Editor!
Previous Post: Back to School: Getting Better Grades in School Using Aviary!
Subscribe to Aviary Blogs
RSS
EmailComments
Posted by RJM on 2009-09-04 09:00:11
Great catch and well handled-- I have been following this poll for a while and hate to see it tainted. Patch and revote!
Posted by haphap on 2009-09-04 12:55:13
One question!!!: Are there any *POPULAIR* proxies that ACTUALLY use the "X-Forwarded-For" header anyway??
Posted by iZ on 2009-09-04 13:29:03
The point is that you don't even need to use a proxy. Even just adding the header with a random (fake) ip address is enough to get the vote to count.
Posted by learnaviary on 2009-09-05 08:27:00
companies that would stoop low enough to do that makes me sick i don't think that anyone shoud use there products even if the are better products than aviary.
Posted by Mathieu Gosselin on 2009-09-06 08:31:48
most internet polls are useless honestly, you cannot rely on those things. When people votes anonymously it is like that. It is to the one who have the most friends to bring or in this case the one who is the trickiest.
Posted by Andrew Odri on 2009-09-08 15:12:49
Nice catch guys. I figured some kind of automated proxying was going on, although I had no idea it was just modified request being hammered out by the one computer. Thanks again!
Posted by ducky666 on 2009-09-09 00:22:42
i dont think they should redo the contest over again just disqualify those who didnt play fair if that means aviary is the only not DQ'ed the aviary wins period
Posted by Andrew Short on 2009-09-10 06:57:26
Problem with that, Ducky, is will they be able to tell for sure which companies have used the exploit? Sure it'll be obvious in some cases (such as the above-mentioned 500-post jump in a night), but if other entries have been more subtle about it they could probably get away with it.
Well done for finding the exploit and exposing it, guys. Big kudos to you.
Posted by tiffany and co on 2009-10-20 01:28:58
yobabba is still doing something with proxys i think
Posted by gaia gold on 2009-11-03 04:43:13
Great catch and well handled-- I have been following this poll for a while and hate to see it tainted. Patch and revote!
Posted by auto insurance on 2009-11-04 23:29:51
Great catch and well handled-- I have been following this poll for a while and hate to see it tainted. Patch and revote!
Posted by queue management system on 2009-12-07 22:02:29
Sure it'll be obvious in some cases (such as the above-mentioned 500-post jump in a night), but if other entries have been more subtle about it they could probably get away with it.
Try Out Aviary»
Aviary is a powerful suite of browser-based design tools for people who create. Head on over to the Aviary homepage to try the applications out and learn more. It's free to try our tools or sign up!
Posted by Quentin on 2009-09-04 06:06:30
Ah! This is why I didn't make it to the secound round (or Boks, my app), damn it! Just kidding, but I also noticed some strange voting trends...