Insufficient Anti Automation

Polls are easy target for automation abuse. You can usually participate anonymously and the poll operator has an interest in drawing as many participants as possible, but as demonstrated by previous incidents such loose security enables hackers to distort the results.

This time a hacker succeeded in manipulating Time's poll for most influential people in 2009.

Insufficient Anti-Automation is fat becoming the #1 threat to web sites. Since Captcha has been proved practically useless, especially when there is a financial gain from automating access to the site, sites are pretty much defenceless against harmful automation. Techdirt's story about Craigslist losing the battle against automation tool is a very good example of this serious problem.

Read the comments, they are enlightening. As usual, one of the problem when spam is involved is defining if and what is a wrong doing and what is a  valid action. Some commenters say that Craigslist has become useless due to the spam, while others say that Craiglist is the worst censors on the Internet not letting small time businesses work. Other argue about whether this is a crime or not. 132 comments, and they keep coming 8 months after the article has been published.

Update (April 19^th 2009) - A recent article in the Vancouver Sun further discuss the issue. While there are no new technical details, the discussion that follows the article is illuminating

Insufficient anti-automation is fast becoming a major, if not the major threat to web application. The reason is that it can be very profitable for the hacker, and on the other hand it is far from a simple vulnerability just requiring a quick fix.

TicketMaster on going combat with hackers line bypassing to buy event tickets to resell them for a high price is a very good example of the issue. In this specific example the hackers demonstrate that Captcha, a method of blocking automated programs by presenting a challenge supposedly difficult for a computer software, is not sufficient.

Someone, and not for the 1st time, succeeded in manipulating Google Trends, a Google service listing popular search terms. In this case the New York Time reports that a symbol at presumably denoting 9/11 reached number 2 in the list of hot Trends (see picture right).

While this may be nothing more than a joke, the capability to create a trend can have a huge and sometimes devastating effect. After all in recent months the future of big financial institutes was determined by the rumor mill.

On the technical side, insufficient anti-automation controls have been one of the more obscure and hardest to fix vulnerabilities in web applications. Starting with the Lexis-Nexis incident (WHID 2005-65), many incidents where waved off as nothing more than an automated client. However, as the incidents pile it becomes clear that it is the responsibility of the site owner to mitigate such harmful automation attacks.

Californian Michael Largent used an automated script to open 58,000 such accounts, collecting many thousands of the small payments used to verify credit cards when openning accounts.

Additional information:

The LexisNexis data breach is not new, but we have recently decided to start tracking abuse of insufficient automation measures and are adding historical incidents.

In this incident a group of people opened accounts at data broker LexisNexis and used automated tools to extract a large amount of personal information provided by the service.

Use of robots and automated software against a web site, as long as it is not done in order to break into the site, falls into a grey area. While hard to classify as an unlawful act, it is usually harmful to the site owner and possibly to the site users. Apart from using valuable resources, such an automated access may breach the site's usage license of public information and might also indicate unlawful activity such as using a botnet. Many times it is hard to know if such a blast of requests is a denial of service attack, brute force password cracking or just a search engine crawler.

The CNBC stock trading reality TV show was even more real than contenders thought it would be. It seems that players learned to cheat the game by opening a browser form to by a stock before closing and issuing the transaction, at the set price, only after closing, when more information is already available.

A hoster was broken into by brute forcing passwords in a management interface. Sites of many clients, including three municipalities where defaced.

Additional information:

• Hacker diverts traffic from city's Web page [ContraCosta times, Jan 17 2006]