Inside the precision hack « Music Machinery - 0 views
-
At 4AM this morning I received an email inviting me to an IRC chatroom where someone would explain to me exactly how the Time.com 100 Poll was precision hacked. Naturally, I was a bit suspicious. Anyone could claim to be responsible for the hack - but I ventured onto the IRC channel (feeling a bit like a Woodward or Bernstein meeting Deep Throat in a parking garage). After talking to ‘Zombocom’ (not his real nick) for a few minutes, it was clear that Zombocom was a key player in the hack. He explained how it all works. The Beginning Zombocom told me that it all started out when the folks that hang out on the random board of 4chan (sometimes known as /b/) became aware that Time.com had enlisted moot (the founder of 4chan) as one of the candidates in the Time.com 100 poll. A little investigation showed that a poll vote could be submitted just by doing an HTTP get on the URL: http://www.timepolls.com/contentpolls/Vote.do ?pollName=time100_2009&id=1883924&rating=1 where ID is a number associated with the person being voted for (in this case 1883924 is Rain’s ID). Soon afterward, several people crafted ‘autovoters’ that would use the simple voting URL protocol to vote for moot. These simple autovoters could be triggered by an easily embeddable ’spam URL’. The autovoters were very flexible allowing the rating to be set for any poll candidate. For example, the URL http://fun.qinip.com/gen.php?id=1883924 &rating=1&amount=160 could be used to push 160 ratings of 1 (the worst rating) for the artist Rain to the Time.com poll.
-
“Needless to say, we were enraged” says Zombocom. /b/ responded by getting organized - they created an IRC channel (#time_vote) devoted to the hack, and started to recruit. Shortly afterward, one of the members discovered that the ’salt’, the key to authenticating requests, was poorly hidden in Time.com’s voting flash application and could be extracted. With the salt in hand - the autovoters were back online, rocking the vote.
