Many of the geekier amongst you would now be aware that some of the clever anonymites down in 4chan have been playing pattycake with the very respectable Times online most influential person in the world survey. This wasn’t simply a matter of putting their dude, the mysterious Moot on the top of the list. It was significantly more sophisticated and, needless to say stupider than that. They manipulated the poll, in such a way that the first letters of the candidates names formed “the sentence”, “Marblecake, also the game”. As far as anagrams go its, not Hamlet, but in terms of sheer hacking wizardry, its pretty damned impressive. Unless of course you were a major magazine, stalwart of the publishing industry trying to protect your online reputation- then its a bitch. Here’s the story of how it was done…
At 4AM this morning I received an email inviting me to an IRC chatroom where someone would explain to me exactly how the Time.com 100 Poll was precision hacked. Naturally, I was a bit suspicious. Anyone could claim to be responsible for the hack – but I ventured onto the IRC channel (feeling a bit like a Woodward or Bernstein meeting Deep Throat in a parking garage). After talking to ‘Zombocom’ (not his real nick) for a few minutes, it was clear that Zombocom was a key player in the hack. He explained how it all works.
Zombocom told me that it all started out when the folks that hang out on the random board of 4chan (sometimes known as /b/) became aware that Time.com had enlisted moot (the founder of 4chan) as one of the candidates in the Time.com 100 poll. A little investigation showed that a poll vote could be submitted just by doing an HTTP get on the URL:
where ID is a number associated with the person being voted for (in this case 1883924 is Rain’s ID).
Soon afterward, several people crafted ‘autovoters’ that would use the simple voting URL protocol to vote for moot. These simple autovoters could be triggered by an easily embeddable ’spam URL’. The autovoters were very flexible allowing the rating to be set for any poll candidate. For example, the URL
could be used to push 160 ratings of 1 (the worst rating) for the artist Rain to the Time.com poll.
In early stages of the poll, Time.com didn’t have any authentication or validation – the door was wide open to any client that wanted to stuff the ballot box. Soon these autovoting spam urls were sprinkled around the web voting up moot. If you were a fan of Rain, it is likely that when you visited a Rain forum, you were really voting for moot via one of these spam urls.