WHID 2009-38: Time's Poll For Most Influencial Hacked

Polls are easy target for automation abuse. You can usually participate anonymously and the poll operator has an interest in drawing as many participants as possible, but as demonstrated by previous incidents such loose security enables hackers to distort the results.

This time a hacker succeeded in manipulating Time's poll for most influential people in 2009.

Top results for the hacked Time poll

Such poll are probably always distorted by automated programs,  with every stakeholder running his own robot to promote a cause. The current time poll status Shawn above includes mostly known people, though the standings do seem skewed. Is it just that our view of the world is different than others, or have Muslims around the world become avid Time readers? The top rated person, "moot", which none of you heard about until now, proves that it is all about automation.

This specific poll distortion reported by Paul Lamere is unique since a group of hackers called 4chan, led by "moot", took the time to fight Time's humble attempts to mitigate automation. Among the measures and countermeasures that 4chan and Time exchanged are:

  • 4chan distributed the simple get URL required to vote for moot through legitimate web sites and comment spamming. Such a link can easily be executed automatically by a web site user without his awareness using CSRF techniques.
  • Using a typical CSRF counter measure, Time added a salted and hashed key to ensure that the poll was submitted from its own poll form. However the key was authentication on the client by Time's poll Flash application enabling 4chan to easily find it out and overcome the issue.
  • The Time voting mechanism did not even check that the ranking in the vote was legal, so a link to vote down "moot" competitors in the list was also used until Time fixed the issue. Voting down is key to winning such a poll as 4chan competitors are not at rest running their own sophisticated campaigns.
  • Lastly 4chan developed sophisticated robots to auto-vote. Those robots overcome Time's anti-automation protections: since each user is allowed to vote just once in every 13 seconds, the robots uses open proxies to vote faster. Since time only prevents voting for the same person from the same IP, the robots used the extra 12 seconds available for each source IP to vote down competitors. The system also reports to a central server allowing monitoring of the voting rate!

Rate of voting for "rain" as recorded by 4chan monitoring

However this specific hack is ever more interesting. At one point 4chan where bored with just running moot for presidency, so they decided to use their sophisticated machine to do a more elaborate work. They decided to fix all first 21 nominees so that their initials would spell "Marblecake Also the Game". And as Paul Lamere's screenshot proves, they made it.

Incident Outcome: