Fox News' "if the election were held today, who would you vote for?" voting system exploit
Fox News has a poll running to see who people would vote for today. That's cool. I voted for Bernie Sanders, and was pleased to see 51% votes are in his favor.
Then I saw a comment on the Bernie Sander's Dank Memes Stash Facebook page, which said they were able to vote 3 times. Uh oh. They then said they remembered cookies were turned off. Yikes.
I decided to investigate for a whole 5 minutes to see what was up.
The list of candidates each have their own ID number:
Bernie : 12074840
Rubio : 12074832
Cruz : 12074834
Trump : 12074836
Clinton: 12074838
This was found from a simple inspect-element.
Then I watched the Network tab in the Chrome debugger to see what request was sent when I clicked "Vote". It was this:
http://polls.foxnews.com/api/poll/4862500/vote/?answer=12074840&jsonp=FXAPIvt4862500&cb=2016315000
Lets take it apart:
http://polls.foxnews.com/api/poll/:PollID/vote/?answer=:AnswerID&jsonp=FXAPIvt4862500&cb=:DateStamp
The DateStamp acts as a way to determine if you're the same anonymous voter who voted before. If the DateStamp is different, it'll create a brand new anonymous user. It saves the anonymous voter ID as a cookie - only if you're on the actual voting page.
If you invoke that URL by itself, it creates no cookies, and will vote for you.
I didn't write anything to exploit this, but with a simple setInterval() and AJAX request loop, you could vote for anyone as many times as you like. This is why anonymous voting is not a thing on websites like Reddit, because it's easily exploitable.
Alright, now be good. :)
Then I saw a comment on the Bernie Sander's Dank Memes Stash Facebook page, which said they were able to vote 3 times. Uh oh. They then said they remembered cookies were turned off. Yikes.
I decided to investigate for a whole 5 minutes to see what was up.
The list of candidates each have their own ID number:
Bernie : 12074840
Rubio : 12074832
Cruz : 12074834
Trump : 12074836
Clinton: 12074838
This was found from a simple inspect-element.
Then I watched the Network tab in the Chrome debugger to see what request was sent when I clicked "Vote". It was this:
http://polls.foxnews.com/api/poll/4862500/vote/?answer=12074840&jsonp=FXAPIvt4862500&cb=2016315000
Lets take it apart:
http://polls.foxnews.com/api/poll/:PollID/vote/?answer=:AnswerID&jsonp=FXAPIvt4862500&cb=:DateStamp
The DateStamp acts as a way to determine if you're the same anonymous voter who voted before. If the DateStamp is different, it'll create a brand new anonymous user. It saves the anonymous voter ID as a cookie - only if you're on the actual voting page.
If you invoke that URL by itself, it creates no cookies, and will vote for you.
I didn't write anything to exploit this, but with a simple setInterval() and AJAX request loop, you could vote for anyone as many times as you like. This is why anonymous voting is not a thing on websites like Reddit, because it's easily exploitable.
Alright, now be good. :)
So you're saying that someone in a country outside the US could fire that URL repeatedly, and cast votes?
ReplyDeleteThat seems pretty dodgy.
Yeah, you can. I just think it's laziness to be honest.
ReplyDelete