Screwing PollDaddy.com. Battle for iPad in 4 actions

1. Prehistory

For some time now I have been watching the development of the startup friendsaround.me . The idea of ​​a startup is to launch a social network for owners of mobile devices with a location reference. Now, as I understand it, they are still in the process of development - well, not the essence. I observe quite passively and therefore only on March 7 I found out that they are holding a competition for the best slogan for their product with the main and only prize in the form of an iPad (or rather, an iTunes gift card for the amount needed to buy it). The competition ended on March 7, and I, after looking at the current submitted options (and not finding one I liked), decided to try my luck too, so to speak. After several minutes of creative meditation, several options spun in my head, of which I settled on the slogan “Locate Friendship!” (And I thought, briefly, clearly and to the point. Great slogan!). I sent him to participate ...

2. History

The next day it turned out that my slogan did not let me down and was in the final - this is a success :)!
The final was a vote in which everyone was invited to choose the most liked slogan from 10 finalists. Voting was done through the service polldaddy.com , the main task, which was actually in the conduct of various types of heads. Therefore, I hope (naively) to a fair fight began to actively send campaign messages to friends like “Dude, support my outstanding slogan!”. “Dudes” supported (thank you, by the way, if you are reading) and the column of votes next to my option gradually crawled upwards, and conflicting thoughts from the series “Hmm, well, why do I need another iPhone already? Better add money and then buy a MacBook !!! Hmm, although why do I need a MacBook?) ”. But then the first disappointment awaited me ...

Absolutely without a second thought, I decided once again to look at the current result of the state. It was then possible to see the results only with the help of re-election (as I didn’t notice the “show results” button), which led to the page from where it was politely informed that a second vote was not possible, but the current result was shown. What was my surprise when, once again visiting this page, I suddenly saw the inscription “Thank you for voting!”. “Aah, this is probably due to the fact that the browser is different ... But do they really not block by IP” - flashed through my head - “Well, how is that?!”. I tried from the third browser - another plus is the voice - probably it means they block from re-voting on cookies ... I opened the chrome in ingognito mode (I don’t have to save the cookie) - it is. At the same time, judging by the nature of the addition of heads from another participant, it became clear that this discovery did not belong only to me.
I absolutely did not want to sit and stupidly wind up the voices by opening and closing the browser, so I honestly wrote to the administration of the competition about my discovery and continued to agitate my friends. At the same time, my main argument for continued participation was the hope that all the same the organizers, people who are involved in web / mobile development (and even are about to launch a startup) should understand that in this form it is now not meaningful to start voting. “Probably they are still recording IP and just want to immediately recognize all the cheaters and stop their desire to come up with a more difficult trackable way to cheat the competition” - again I naively thought ...
')
Meanwhile, by the end of the second day of the contest finals (March 9), my slogan came in second place and slowly approached the first one (which I felt (as it turned out to be right), I wound up, and I wound it manually (I have 140 votes with 140 after 3 hours I have 139, he still has the same 140, but after 5 minutes already 160)). Under the terms of the competition, the winner was declared the participant with the highest number of votes on "March 10th". I suspected that "March 10" is actually 00:00 00 minutes on March 11, but realizing that this can be understood in two ways and unusual movements are possible already this night, I made a screenshot just in case:



When I woke up the next morning, I realized that the nerves of the guys still could not stand it and the picture already looked like this:



As it turned out, about 3 and a half thousand people (out of 4,100 who had voted at the time) could not find peace that night without voting for their favorite slogan.
The funny thing is that with all the absurdity of the situation, the participants firmly believed in their “fair” victory and that no one suspected anything (!) Would tear themselves away from each other by more than 50-100 votes ...

At that moment I decided to see what the PollDaddy.com service “on the other side” is and registered on it (since the registration was free). And he presented from a paid and free version. Paid allowed to track the results of the competition in various ways, while free software did not allow anything and showed approximately the same information that was visible to all participants. And the free version added a small link to the site of PollDaddy.com itself. It is the link that can be seen on the screenshots I attached.
The administration of the contest, from which I waited for at least some reaction to the events that took place at night, dispelled all my faith in them with a message on Twitter “Guys! Vote favorite for the slogan! Today is the last chance to vote! ”(Here is a little free translation from English). I tried to write again the administrations so that they somehow clarified their position on the account of cheating and if they are still going to give the prize to the participant with the “greatest” number of votes in spite of everything, I can also try to write my script. I waited a couple of hours for an answer not to follow ... Apparently they didn’t care who exactly would get the notorious iPad - the slogans are already there ...

In fact, at that moment I was most uncomfortable in front of friends who responded to my request and voted (and at that moment they also wrote to me so that I would not be upset, and that most likely the results were rigged). In addition, sports interest was beginning to emerge, since I had never had to wind up voting, and it was interesting to finally try it as a web developer (especially since 2 people out of 10 had already done this. I think it continued to persist in voting hands :)).
Of course, there was also an alternative way, namely, to wait until the contest is over, the prize will find its “legitimate” winner, and then stand up in the ranks of people fighting for the truth and write angry and angry messages in the style of “We were deceived! Return the iPad to its rightful owner !!! I had 190 honest voices !!!! ”So, that under the motto“ Maybe someone will judge me, but I won't be among such people ”, pressed the cherished“ View page source ”button ...

3. Cheating

Everything turned out to be even easier than I thought. Button Vote! was the following markup:

< input type ="button" onclick ="javascript:vote(2813361,0,1,0,10);" class ="button-blue-big" value ="Vote!" />

* This source code was highlighted with Source Code Highlighter .

The very same vote () function looked like this:

function vote(id, poll_other, rand, poll_type, u) {
var answerString = '' ;
var otherText = '' ;

for (i = 0; i < document .formPoll.elements.length; i++) {
if ( document .formPoll.elements[i].type == "checkbox" || document .formPoll.elements[i].type == "radio" ) {
if ( document .formPoll.elements[i]. checked ) {
answerString += document .formPoll.elements[i].value + ',' ;
}
}
}

if (poll_other == 1) {
otherText = _$( 'PDI_OtherText' ).value;
}

if (answerString.length > 0 || otherText.length > 0) {
location.href = '/vote.php?va=' + u + '&pt=' + poll_type + '&r=' + rand + '&p=' + id + '&a=' + answerString + '&o=' + otherText;
} else {
alert( alert_no_answer );
}

* This source code was highlighted with Source Code Highlighter .

Well, everything seems to be clear - we take the value (id) of the marked radio button and send it to the right address along with the other parameters. I was confused only by the rand variable, which apparently implied some sort of random value, but at the same time, how many I did not reload the page was always equal to 0.
After that, it remained only to write a small console application (I used C #), which generates an HTTP GET request and sends it to the same address.

static void Main( string [] args)
{
int repeat = (args.Length > 0) ? int .Parse(args[0]) : 1;
int sleepTime = 2000; //2 sec
int rand = 0;
string userAgent = "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.3 Safari/533.2" ;
int pollid = 2812840;
int voting_id = 13304535;

for ( int i = 0; i < repeat; i++)
{
Console .Write(i + " - " );
string query = "http://polldaddy.com/vote.php?va=10&pt=0&r=" + rand + "&p=" + pollid + "&a=" + voting_id + ",&o=" ;
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(query);
request.UserAgent = userAgent;
HttpWebResponse response;
response = (HttpWebResponse)request.GetResponse();
Console .Write(response.StatusCode);
Console .WriteLine( ". Waiting " + sleepTime/1000 + " seconds" );
Thread.Sleep(sleepTime);
}
Console .WriteLine( "Done" );
Console .ReadKey();
}

* This source code was highlighted with Source Code Highlighter .

Posted Just in case, put a pause between requests for 2 seconds. I start: the first request is OK, the second request is OK, the third request is operation has timed out. Che for garbage ?! I start again - the same thing - the third request does not work. Increased the pause between requests to 10 seconds. Does not help. I decided to try to watch Fiddler , what's the matter:



Fiddler showed that it turns out that the first page returns the HTTP result 302 and redirects to another, but I did not notice any other differences between the requests. I added request.AllowAutoRedirect = true to the code so that the request automatically redirects (although in principle this should already be the default) - again the same result. Good luck came unexpectedly - it was accidentally discovered that with Fiddler enabled, the third request goes bang (as seen in the picture), and the fourth and fifth passes, and so on. There was no time to understand what the difference between the request that passes through the Fiddler proxy and the usual one, the main thing is that in principle the cheater is ready. It was possible to run.

Nevertheless, I did not want to dwell on such a simple solution, I wanted to complicate the task somehow, especially since when I registered at polldaddy.com and created my test goal, I still saw the option “Block by cookie and IP” which for some incomprehensible reasons was ignored by the organizers of the vote. Understanding that they could at any moment still “discover” this option and thus chop off my swirl, I decided to prepare myself ahead of time ... Of course, it was impossible to force my .NET application to launch 10 thousand people, so I began to lean towards javascript, which send ajax GET Request when loading any page, and then redirect to another with more interesting content. Thus, it would be possible to give a similar link to some popular resource and solve the IP blocking problem. Made such a page using jQuery here , but it was never useful in the end.

4. End of story

My cheater was ready when there was still about 7 hours left until the end of the competition. It seemed stupid to play the game that had developed in the competition and to come out on top, with a preponderance of 10 votes. Once cheat so cheat !!! - I thought and turned it on at maximum speed. After a while, I started cheating from one more machine with another IP. Approximately half an hour caught up on the results of the "leaders." At this point, the administration still woke up and made the first correct decision in this story, namely it turned off the ability to view the results. After another 3 hours, when, according to my calculations, I should have had about 5-6 thousand votes, the vote was still stopped. The official reason that they later voiced through their twitter was inconsistencies in voting practice.

The next day, they actually announced a new contest, which now lies in the fact that you just need to stupidly write a specific message on Twitter, and the winner will be chosen randomly from those who wrote. Of course, I wrote a message, but I have practically no interest in this contest. You can also take part, by the way, if you want - http://friendsaround.me/contest (if you win you will need an address in the USA where to deliver the prize - if you write something, I can help with this).

In the end, one of the organizers to my question why it was so difficult to think up the protection from the markups in advance, responded on Twitter that they simply did not approach the preparation of the competition quite well ... well, let's hope that at least they would be more serious about launching their startup ...

UPD: By the way, I still haven’t figured out why the third and subsequent requests in my workout took place only when Fiddler was turned on, I would be grateful if someone tells you the reason ...