336
coolq
2y

I know it wasn't ethical, but I had to do it.

Semester 4 started this week, we all got to vote which day we wanted the lecture to be held on. There were quite a few options. My preference was Monday at 7:30pm.

So I entered the poll, as I have every other semester. But I noticed something, this particular poll didn't require any form of identification. Not even a Student ID.

I dug deeper, found that it used local cookies to store weather you'd voted or not, this is obviously a security problem, so I opened up Python and wrote a simple Selenium program to automate this process.

I called it the "Vote Smasher". First it would open the webpage, then it would choose Monday 7:30pm and vote. Then it would clear it's cookies, refresh and do it over again.

I ran it fifty times.

Can you guess what the revealed vote was for UCD SP4 IT was?

I heard my lecturer mutter:
"The votes aren't usually this slanted..."

I could hardly contain my giggles.
My vote won by about fifty over the others 😂

Let me just say, it was his fault for choosing such a naive poll system in the first place 😉

Comments
  • 7
    @Torbuntu
    Thank you!
  • 9
    Great job!
  • 5
    @user11001
    Haha, yeah!
  • 23
    @potluck
    Luckily for me, I could see how many people had actually voted(had a results page) and I ran the program right near the deadline for the poll.
  • 16
    @potluck
    1). There are 150 students, as I said above I made sure it was less than the maximum. Plus who cares if it's suspicious. I'm fact I how he's suspicious, so he uses a different poll system next time.

    2). We are not voting for the subject, we are voting for the day that the lecture is held. You can always watch the recordings since not a whole lot of interaction goes on anyway.
  • 7
    @potluck
    It's all good man, and yes, I admit it wasn't ethical, it was just an amazing opportunity, I almost never see such a big mistake in a University.
  • 2
    @potluck
    I get the thumbs up, yay!

    But I am likely to do this kind of thing once, I wanted to see if it would actually work. Thought it would be fun to post my findings here 😉
  • 1
    @MrJimmy
    Sure did! Thanks for the comment!
  • 1
    This is too good to be true 😂😂
  • 1
    @klukas
    Oh but it is 😄
  • 4
    It's one thing being unethical - it's another thing justifying abuse because you can.

    Imagine if someone hacked your national elections - who would you be punishing? The programmers or people in general?

    If we abuse knowledge, society may just say you lot need a license to program because you can't behave ethically when left to your own devices.
  • 2
  • 0
    You know I had to do it to em
  • 0
    Sweet! 😂
  • 3
    Same thing on our computer science website, so I voted for a random person for class rep just because I can. He/She won with a few hundred votes
  • 10
    7:30 ON A MONDAY!?!??!

    YOU MONSTER
  • 1
    @kunashe Eeeehhhhh...

    I see the point you're trying to make.

    At the same time there's no better way to teach someone about their woeful ignorance than through practical examples.
  • 1
    You do realize that you have your github link, your name, your location here?
  • 2
    monday morning? u monkey!
  • 5
    When @YourNemesis stalks your devRant profile, you know something bad is coming.
  • 0
    @xorith @gitpull "I have been expelled from class" rant incoming? 😏
  • 3
    @JoshBent "Seems like my class voted to expel me. I've never seen votes so slanted before!"
  • 1
    @xorith "6000 people voted, with just 150 students in class"
  • 4
    That is pretty cool. Have to ask though... Would it not have been simpler to just copy/capture the request and repeat the request 50 times via code? This circumvents the browser entirely and (should) run much faster.
  • 1
    @Nitroretro
    Actually, I think I remember that! Inspiration?

    @kunashe
    Look, as I've said to others, I know this isn't ethical. At all. But this is a rare opportunity. And not just that, but I was also curious to know if it would work.

    Also how on earth is this abuse? It is an exploit, but I fail to see how it is abuse.
    What are your hoping to gain from this comment since I already know it isn't ethical?

    @jeeper
    I did 😛

    @disolved
    Well, there wasn't a lot of choice, all of them were at 7:30pm.

    @xorith
    Agreed.

    @YourNemesis
    I do realise that, but that's the risk I'm taking, so I can share it here on DevRant. I guess I'm trusting everyone here not to go around showing the news...

    @gitpull
    Nah, it's PM, so that's nighttime.

    @xorith
    What's going to happen? I must prepare...

    @JoshBent
    *sigh* probably. Hope not!

    @xorith
    Haha, that's pretty good joke, ironic too.

    @JoshBent
    Come on, at least I made sure it was possible.

    @pain0486
    Probably, but I didn't need it to go fast.
  • 1
    For some weird reason, DevRant thought my comment was blank, so I deleted one space and it worked...
  • 2
    @coolq oh.... :DDD
    Nvm it was morning when I did comment here :D
  • 4
    So you exploited an unsecured but working application that was meant for Democratic decision making and instead of reporting it or offering help, you brag about it here with a half-assed excuse. If you know this is unethical, don't do it, and do not brag about it. You neither put much effort into this hack, nor is your solution elegant. - - from me
  • 0
    @Huuugo
    Wow, gee. What are you intending to gain here?

    Look, this is a programming IT course, they should know better than this. Lets just say I was trying out their own teachings.

    I find it hard to reply to this kind of comment. What do you want me to say?

    Look, this wasn't a very important poll, there's a reason all the votes are usually close together.

    I know voting is intended to be equal, I get that. And that is precisely why this is the only time I will ever do this again. Well, I can't guarantee (might become an ethical hacker, who knows).

    I have also done a lot of good in the world. In fact, this kind of act is very unusual for me.

    I admit this wasn't the right thing to do, and I am sorry if it negatively affected anyone.

    I wouldn't call it bragging, lets call it sharing a story.

    I know there are better things I could have done, but this poll didn't really do much anyway.

    I don't want to have a comment war, so let's put the fire out now, okay?
  • 2
    Oh you rebel 😈 you are on NSA list now 👀
  • 1
    @CurseMeSlowly
    I hope not!
  • 3
    Next time try using the network tab in devtools. It'll show you what http request is being made when you submit your vote. After that you can easily make a script that just replicates that request 😄
  • 1
    @ldwall
    Hmm, I could have, but I didn't particularly need it to go fast. Good suggestion though 😉
  • 3
    Nice work. Sometimes I also `hack` the system in a more ethical way. Automating the boring data input process for example.

    I know it is fun. But if I were you, I'll only make 1 or 2 votes, not 50...

    I guess your lecturer or whoever created the system will be grateful to know what really happened. Just tell them that you know the vulnerability anonymously. If the response is positive, you can tell them what really happened. (Still anonymous like a real h4ck3r, or reveal who you are, and probably getting hired. My student got a t shirt for that)

    But it is really up to you. Keep exploring, and thanks for sharing. From now on, I'll really be more careful with local storage :v
  • 0
    @gofrendi
    Alright, I'll take your advice, I've been thinking about it for a while now. He's a pretty easy going guy, so I doubt he'll be too angry, how should I go about not revealing my identity?
  • 1
    @coolq anonymous email, anonymous mail etc
  • 0
    @gofrendi
    Yep, gotcha :)
  • 0
    @gofrendi (or anyone else)
    Ok, I took your advice, now that the results are officially out, I sent him an email. I'll see what happens!
Add Comment