Defeating the News24 daily vote

Beating the News24 pollEvery day the News24 site has a user vote. I recently decided to take a closer look at their system – perhaps I could defeat the vote security. It would be fun (who says I’m a geek?) and I could learn something new.

I used a combination of Firebug and Python to watch their voting system in action. Pretty soon I realized that the security is very simple.

This is the process that News24 uses to record votes:
Flowchart showing how the News24 vote process works

  1. Show the user the vote (question and options) and get their choice
  2. Go to a page that checks if the user has already voted
  3. If the user has NOT voted yet:
    1. Save a file showing that the user has voted
    2. Move to another page that counts the vote
  4. Move on to the results page

It’s a pretty simple process and it works as long as nobody messes with it…

The problem is that it is very easy to derive the URL of the page that counts your vote (3b). So you can skip all the checks and go straight there as many times as you like!

So I wrote a very simple program (34 lines in Python including copious comments and whitespace) that:

  1. Fetches the vote details
  2. Asks which option to vote for and how many times
  3. Hits the vote counting page X times

As simple as that!

And no, I don’t use it. That would be pretty lame. The fun part was figuring it out and defeating a well known site. Not screwing up the polls for everyone.