We found an exploit in InsideRIA's polling software - and we were not the only ones

InsideRIA for a discussion at Adobe Max. When I say compete, you might conjure up images of banner ads on web sites, Twitter posts and Facebook messages. Nearly all of the contestants have done things like that (just look at their respective web sites) and it seems fair. In fact, part of the purpose of the competition is to drum up interest in InsideRIA and the above tactics are well within the spirit of that goal.

However, we noticed some irregularities within the process. Certain sites, some of which were hundreds of votes behind, jumped 500 votes overnight and then stagnated for a while, only to surge again when the sites would again lag behind.

Armed with the realization that something didn't smell right, we decided to investigate to see if the system could be gamed.

We came across the X-Forwarded-For HTTP header which is primarily used with proxied requests to indicate the true IP address of the client. Or, as we discovered, it can be used to trick the poll into thinking that the request was coming from any IP address specified in this header. All a scripter would have to do is send a POST to http://www.oreillynet.com/pub/pq/237 (the poll results page) with a body of qid=237&aid=[poll choice value here] (in our case it was 1289) and add the header "X-Forwarded-For: [Random IP address here]". Send the post 500 times with 500 random IP addresses and voila! you have 500 votes for your company!

We are not going to use this exploit ourselves (and would have only shared this with InsideRIA had we not noticed it already being used by others). We do wish to point out that participating in a competition that has an obvious exploit that can be used by competitors makes us rather uncomfortable. I hope InsideRIA will fix this exploit and start the competition (which ends this coming Sunday night) over from scratch.]]