How not to hold contests on your site

Probably, many have already heard about the service ebaytoday.ru , which is engaged in sending purchases from auctions and online stores in the US, UK, Germany and China.

So, on the eve of February 14, they decided to make an interesting competition. The conditions are very simple: you upload a photo of yourself and your soulmate, and then other users taking part in the competition, for each young person, pick up a girl from 5 offered. Those who guess the most number of times the prize - 2 Kindle Touch. And the one who guesses 20 pairs on any given day is also a Kindle Touch, but already one.

Unfortunately, by launching the competition on February 10, they did not test it properly and until the 13th the votes were not counted, therefore on February 13 all the votes were dropped and the competition was launched a second time, but by the workers. This happens and sometimes excusable, but not with such a wide audience as this service.

Cheat voices

When voting, a POST request was sent to a page with the following data:
woman - url of a man's photo (why men are the ones - I don’t know, it’s probably somehow related to the general literacy of the programmer)
man - url of selected girl
and ... everything! There are no csrfs, tokens to check which pairs the user saw in the browser and what he sent - in general, save the page, change the field values ​​to the ones you need and “click to blue” on the “connect pair” button. Therefore, unfortunately, the couple that won first place seemed strange to many because no one had seen it.
')

Guessing pair

Here things are more veiled, but no less terrible. For all uploaded photos, thumbnails were created, two photos were uploaded - a boy and a girl, therefore - what? That's right, we look at the Last-Modified header obtained from the photo and look for a girl with the same date of creation of the preview. There were much more intelligent people than my dear administration thought, and therefore, thanks to 82 people who guessed 20 out of 20 pairs, they had to do the second stage.

That turned out to be a Valentine contest ... Once again, I’m convinced that there are no normal contests on the Internet: either they cheat, or the results are “their own” people.

PS : I'm telling right now, so that no one can take advantage of these vulnerabilities - the competition is already over.