Feeds

Hackers stuff ballot box for Time Magazine's top 100 poll

'World's most influential' list is mooted

3 Big data security analytics techniques

Time Magazine's poll of the 100 most influential people has been hacked by a motley band of online troublemakers who have managed to manipulate the top 21 names so their first letters spell "marblecake, also the game."

According to an inside account detailed by blogger Paul Lamere, members of the 4chan website exploited weaknesses in the web application that Time used to record reader votes. As a result, moot, the 20-something founder of 4chan, tops the list, which Time bills as "the world's most influential people in government, science, technology and the arts."

"Ultimately, this hack involved lots of work and a little bit of luck," Lamere wrote. "Someone figured out the voting URL protocol. A bunch of folks wrote various autovoters, which were then used by a thousand or more to stack the vote in moot's favor. Others sprinkled the spam URLs throughout the forums tricking the 'competition' into voting for moot."

Time spokeswoman Betsy Burton confirmed the hack. "We took many preventative measures to maintain the integrity of the Time 100 poll on Time.com, and moot has a passionate community of users who worked to influence the poll," she wrote in an email.

According to Lamere, the hack involved two perl scripts. The first located the highest-rated person in the poll who wasn't one of the desired 21 winners and voted the person down. A second program made sure that each of the 21 names were rated in the proper order. In all, the scripts comprised less than 200 lines of code.

The hack worked because Time's web application allowed votes to be cast by submitting a simple URL get request. Hitting the address http://www.timepolls.com/contentpolls/Vote.do?pollName=time100_2009&id=1883924&rating=1, for example, automatically registered a vote in favor of the Korean pop star Rain, who has dominated the Time poll in previous years. (He's listed as No. 22 this time around.)

During early rounds, the voting application employed no authentication or validation, allowing tricksters to stuff the virtual ballot box with an unlimited number of votes. The result was a 300-percent rating for moot. Eventually, votes required an MD5 hash of the URL and a secret word, but the 4chan members worked around this measure after discovering the word in an Adobe Flash application employed by Time.

The hackers crafted several autovoters that voted people up or down as needed. They worked around restrictions that allowed an IP address to vote for a candidate every 13 seconds by cycling through a list of candidates. Strangely, there were no caps placed on his IP address at all, an oddity one of the hackers guesses was the result of the voting app not being able to work with the IPv6 address he used.

Marblecake, by the way, is the IRC channel where 4chan's Message to Scientology video originated.

It's only the latest online prank to be orchestrated by members of 4chan. The group is also credited with starting the Rickrolling and lolcats memes. Now the group has managed to make Time look silly while nominating one of their own as the magazine's most influential person. ®

High performance access to file storage

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.