Hello. I specialize in graphic design and development for web applications.
Election Fraud
August 24, 2008 at 2:53 am
My high school has decided, for whatever reason, to use Zoomerang to conduct student elections. To prevent multiple votes, Zoomerang allows the creator of what will from now on be referred to as a survey, though it’s more of a voting thing, to send a one-time link to a list of people.
These one-time links, as you can probably guess, allow a user to take the survey only once. However, I have always been suspicious of such tactics, and so a while ago I decided to take a look. (Disclosure: I’m working on a free, open-source voting system. I promise not to let that skew my results.)
[Photo credit: Daquella Manera]
I started with a paid Zoomerang account (well, okay, no I didn’t - it’s $600! I borrowed a login from an online friend with an account) and set up a sample survey based (well copied word-for-word, actually) on a template. I then used the one-time link feature to send a plethora of links to my Gmail account. In total one hundred, though I’ll present just a short sample of them below:
http://www.zoomerang.com/Survey/?p=U2A8NMF9ASLG
http://www.zoomerang.com/Survey/?p=U2A8NMFAASM4
http://www.zoomerang.com/Survey/?p=U2A8NMFBASMP
http://www.zoomerang.com/Survey/?p=U2A8NMFCASNB
http://www.zoomerang.com/Survey/?p=U2A8NMFDASNW
http://www.zoomerang.com/Survey/?p=U2A8NMFEASPJ
http://www.zoomerang.com/Survey/?p=U2A8NMFFASQ5
The more observant of you will have noticed that some things aren’t very random. In fact, only three characters change frequently, highlighted below in italicized bold:
http://www.zoomerang.com/Survey/?p=xxxxxxxXxxXX
These changing portions do appear to be random (well as random as a computer can produce, at least). However, there are still only four characters changing between links! The characters are limited to uppercase letters and integers. This means there are 36 possible combination for each character (10 digits + 26 letters). With three positions for the random data, there are only 363 possibilities! Okay, so that’s 46,656, which is a pretty big number.
However, the problem comes when we realize that there are about 1,600 people in attendance at my High School (I don’t remember the exact number, but it’s somewhere around there).46,656 / 1,600 is 29.16. So for every 29.16 guesses I make, odds are one of them will be a working link. However we can reduce that even further! The first random character seems to just be a hexadecimal counter (0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F). I have no idea why this is, but it continues throughout the data.
Factoring this in, I was able to write a combination of PHP and Perl applications which can, in essence, conduct election fraud. They come in three parts, and use Amazon SQS to communicate between each other. This allows for the application (with the exception of the first script) to be run on many servers at once.
The first, a Perl script, takes one known survey URL as it’s parameter, then guesses the rest of them in order of probability. It is actually in two parts, one calculates the URLs and passes it to the second to send to SQS, that way the network is not the bottleneck, the second is multi-threaded. It sends its results to the second script, which issues HTTP requests to see if the links exist. It changes proxies every 100 links. It then passes it’s results to the PHP script which POSTs the votes specified by the attacker to the survey, using a new proxy each time. The proxies are a pre-compiled list based on various resources.
Okay, so this is kind of noticeable, because legitimate users trying to vote will be locked out. However, this does work - this is not just an idea, I have done it using a test survey. Renting one hour of computing time, on four servers from Amazon EC2, one (8-core) machine to calculate the URLs, two machines to check them, and then a final machine to POST the fraudulent data.
Of the 900 links I sent out to an email address silently discarding them (and the one sent to my own) I was able to guess 400, more than 40% of the total possible votes. Even if everyone voted, so long as the people being voted for are not idiots there’s a very good chance they will win.
My total cost throughout this: less than $2!
Now at this point I’d like to point out that the protection provided by Zoomerang is probably good enough for most surveys. However I would not trust higher-risk data collection to them. You may think it’s impractical to conduct such an attack, but teenagers today are always looking to mess with people. The scripts took me less than 10 hours and everything I need to know, I learned from books available at the library and Google searches.
Because I actually have an interest in who wins the election this upcoming year (they don’t seem to have much effect either way, but some of the people who won this past year are people I consider neither nice nor good leaders) I’m not going to release the exploit scripts until safe to do so - either after the elections, or if the school decides not to use Zoomerang to manage them. Bookmark this page and it’ll eventually be here, probably. I suppose if I post it, the nice people at Zoomerang will try to sue me, though this would be baseless and mostly an effort to get me to take it down through legal force. Whether it remains up, in that case, depends on whether or not the EFF is willing to defend the right to post exploit scripts for the sake of fixing problems.
This ridiculously long post was brought to you by ARSON News, a site I update no more frequently than this one. :-/
Say your words!