Fox News' "if the election were held today, who would you vote for?" voting system exploit

Fox News has a poll running to see who people would vote for today. That's cool. I voted for Bernie Sanders, and was pleased to see 51% votes are in his favor.

Then I saw a comment on the Bernie Sander's Dank Memes Stash Facebook page, which said they were able to vote 3 times. Uh oh. They then said they remembered cookies were turned off. Yikes.

I decided to investigate for a whole 5 minutes to see what was up.

The list of candidates each have their own ID number:

Bernie : 12074840
Rubio : 12074832
Cruz : 12074834
Trump : 12074836
Clinton: 12074838

This was found from a simple inspect-element.

Then I watched the Network tab in the Chrome debugger to see what request was sent when I clicked "Vote". It was this:

http://polls.foxnews.com/api/poll/4862500/vote/?answer=12074840&jsonp=FXAPIvt4862500&cb=2016315000

Lets take it apart:

http://polls.foxnews.com/api/poll/:PollID/vote/?answer=:AnswerID&jsonp=FXAPIvt4862500&cb=:DateStamp

The DateStamp acts as a way to determine if you're the same anonymous voter who voted before. If the DateStamp is different, it'll create a brand new anonymous user. It saves the anonymous voter ID as a cookie - only if you're on the actual voting page.

If you invoke that URL by itself, it creates no cookies, and will vote for you.

I didn't write anything to exploit this, but with a simple setInterval() and AJAX request loop, you could vote for anyone as many times as you like. This is why anonymous voting is not a thing on websites like Reddit, because it's easily exploitable.

Alright, now be good. :)

Comments

  1. So you're saying that someone in a country outside the US could fire that URL repeatedly, and cast votes?

    That seems pretty dodgy.

    ReplyDelete
  2. Yeah, you can. I just think it's laziness to be honest.

    ReplyDelete

Post a Comment

Popular Posts