March 15, 2010 at 04:24We wind up PollDaddy.com. The Battle for the iPad in 4 Actions
1. Prehistory
For some time now I have been watching the development of startup friendsaround.me. The idea of a startup is to launch a social network for owners of mobile devices with a location reference. Now, as I understand it, they are still in the development process - well, that’s not the point. I observe it rather passively and therefore only on March 7 found that they were holding a competition for the best tagline for their product with the main and only prize in the form of an iPad (or rather an iTunes gift card for the amount necessary for its purchase). The competition ended on March 7, and I, having previously looked at the current options sent (and not having found any I liked), also decided to try, so to speak, happiness. After several minutes of creative thinking, several options spun in my head, of which I settled on the slogan “Locate Friendship!” (And what, I thought, shortly, clearly, and in the case. Excellent slogan!). He sent him to participate ...
2. History
The next day it turned out that my slogan did not disappoint me and ended up in the finals - this is success :)!
The final was a vote in which everyone was invited to choose the most popular slogan from the 10 finalists. Voting was done through polldaddy.com, the main task, which was actually to conduct various types of heads. Therefore, I was hoping (naively) for a fair fight and began to actively send campaign messages to friends such as "Dudes, support my outstanding slogan!" “Dudes” supported (thank you, by the way, if you read) and the column of voices next to my version gradually crawled up, and conflicting thoughts from the series “Hmm, have already begun to appear in my head, why do I need another iPhone ?! I’d better add money and then buy a MacBook right away !!! Hmm, although why do I need a MacBook ?!). ” But here the first disappointment awaited me ...
Absolutely without a second thought, he decided once again to see the current state result. It was then possible to see the results only by re-voting (since I didn’t immediately see the “show results” button), which led to a page from where politely reported that re-voting was impossible, but the current result was shown. Imagine my surprise when, once again going to this page, I suddenly saw the inscription "Thank you for voting!". “Ahh, this is probably due to the fact that the browser is different ... But do they really not block by IP” - flashed in my head - “Well, how so ?!” I tried it from the third browser - plus another voice - probably it’s blocking me from re-voting by cookie ... I opened chrome in an innito mode (it shouldn’t seem to save a cookie) - it is.
I absolutely did not want to sit and stupidly wind up the voices by opening and closing the browser, so honestly writing to the contest administration about my discovery, I continued to agitate my friends. At the same time, my main argument for continuing my participation was the hope that all the same, the organizers, people who are engaged in web / mobile development (and even are going to launch a startup soon) should understand that in this form, voting now loses its meaning before it starts. “Probably they are still recording IP and just want to immediately recognize all the cheaters and stop their desire to come up with a more difficult tracked way to cheat the competition” - again, I thought naively ...
Meanwhile, by the end of the second day of the final of the competition (March 9), my slogan took the second place and was slowly approaching the first one (which, according to my feelings (as it turned out to be true), was winding up, and winding up manually (I have 120 votes, 140, after 3 hours I have 139 he still has the same 140, but after 5 minutes it’s 160)). According to the terms of the competition, the winner with the highest number of votes is March 10. I suspected that “March 10” is actually 00 hours 00 minutes on March 11, but realizing that this can be understood in two ways and unusual movements are possible already this night, just in case I took a screenshot: Waking up the next morning, I realized that my nerves the guys still could not stand it and the picture already looked like this:
As it turned out, about 3 and a half thousand people (out of 4,100 who voted at that time) could not find peace that night without voting for their favorite slogan.
The funny thing is that, despite the absurdity of the situation, the participants firmly believed in their “honest” victory and that no one suspected anything (!) And were torn off by more than 50-100 votes ...
At that moment, I decided to look at what PollDaddy.com service is “from the other side” and registered on it (since registration was free). And he was a paid and free version. Paid allowed in various ways to track the results of the contest, and free did not allow anything and showed approximately the same information that was already visible to all participants. And the free version added a small link to the site of PollDaddy.com itself. This is the link that can be seen on the screenshots I attached.
The administration of the contest, from which I expected at least some kind of reaction to the events that occurred at night, dispelled my entire faith in them with a message on Twitter “Guys! Vote your favorite for the slogan! Today is the last chance to vote! ” (here a little free translation from English). I tried to write again the administrations, so that they somehow clarified their position on the cheat account and if they are still going to give a prize to the participant with the "largest" number of votes no matter what, I can also try to write my own script. I waited a couple of hours for an answer that didn’t follow ... Apparently they didn’t care who exactly received the notorious iPad - the slogans already exist ...
In fact, at that moment I was most uncomfortable with friends who responded to my request and voted (and at that moment they also wrote to me so that I would not be upset, and that the results were probably rigged). In addition, sports interest began to arise, since I never had to cheat on voting, and as a web developer it was interesting to finally try it (all the more so since 2 out of 10 people have already done this. I think the 3rd one continued to cheat hard hands :)).
Of course, there was also an alternative way, namely, to wait until the competition is over, the prize will find its “legitimate” winner, and then stand in the ranks of people fighting for the truth and write malicious and angry messages in the style of “We were deceived! Return the iPad to its rightful owner !!! I had 190 honest votes !!!! " So, under the motto “Maybe someone will condemn me, but I will not be among such people”, he pressed the treasured button “View page source” ...
3. Cheat
Everything turned out even easier than I thought. Button Vote! was the following markup:
* This source code was highlighted with Source Code Highlighter.The vote () function itself looked like this:
function vote(id, poll_other, rand, poll_type, u) {
var answerString = '';
var otherText = '';
for (i = 0; i < document.formPoll.elements.length; i++) {
if (document.formPoll.elements[i].type == "checkbox" || document.formPoll.elements[i].type == "radio") {
if (document.formPoll.elements[i].checked) {
answerString += document.formPoll.elements[i].value + ',';
}
}
}
if (poll_other == 1) {
otherText = _$('PDI_OtherText').value;
}
if (answerString.length > 0 || otherText.length > 0) {
location.href = '/vote.php?va=' + u + '&pt=' + poll_type + '&r=' + rand + '&p=' + id + '&a=' + answerString + '&o=' + otherText;
} else {
alert( alert_no_answer );
}
* This source code was highlighted with Source Code Highlighter.Well, everything seems to be clear - we take the value (id) of the marked radio button and send it to the desired address along with the rest of the parameters. I was confused only by the variable rand, which apparently implied some random value, but at the same time how many times I didn’t reload the page, it was always 0.
After that, I only had to write a small console application (I used C #), which generates an HTTP GET request and sends it by that same address.
static void Main(string[] args)
{
int repeat = (args.Length > 0) ? int.Parse(args[0]) : 1;
int sleepTime = 2000; //2 sec
int rand = 0;
string userAgent = "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.3 Safari/533.2";
int pollid = 2812840;
int voting_id = 13304535;
for (int i = 0; i < repeat; i++)
{
Console.Write(i + " - ");
string query = "http://polldaddy.com/vote.php?va=10&pt=0&r=" + rand + "&p=" + pollid + "&a=" + voting_id + ",&o=";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(query);
request.UserAgent = userAgent;
HttpWebResponse response;
response = (HttpWebResponse)request.GetResponse();
Console.Write(response.StatusCode);
Console.WriteLine(". Waiting " + sleepTime/1000 + " seconds");
Thread.Sleep(sleepTime);
}
Console.WriteLine("Done");
Console.ReadKey();
}
* This source code was highlighted with Source Code Highlighter.Wrote. Just in case, I paused between requests for 2 seconds. I launch: the first request is OK, the second request is OK, the third request is operation has timed out. What the hell ?! I start again - the same thing - the third request does not pass. Increased the pause between requests to 10 seconds. Does not help. I decided to try to see Fiddler what’s the matter:
Fiddler showed that the first page turns out to return an HTTP result of 302 and redirects to another, but I did not notice any other differences between the requests. Added request.AllowAutoRedirect = true to the code so that the request is automatically redirected (although, in principle, this should be by default as well) - again the same result. Luck came unexpectedly - by chance it turned out that with Fiddler turned on, the third request went off with a bang (as you can see in the picture), and the fourth and fifth passed, etc. To understand what is the difference between the request that passes through the Fiddler proxy and the usual time was not there, the main thing is that, in principle, the cheater is ready. It was possible to run.
Nevertheless, I didn’t want to dwell on such a simple solution, I wanted to complicate the task somehow, especially since when I registered at polldaddy.com and created my test voting, I still saw there the option “Block by cookie and IP” , which for some strange reason was ignored by the organizers of the vote. Realizing that at any moment they can still “discover” this option and thus chop off my cheat, I decided to prepare in advance ... Naturally, it was not possible to force 10 thousand people to launch my .NET application, so I began to lean towards javascript, which will send ajax GET Request when loading some page, and then redirect to another with more interesting content. Thus, one could give a similar link on some popular resource and solve the IP blocking problem. Made such a page using jQueryhere , but it never came in handy in the end.
4. The end of the story
I was ready to wrap it, when until the end of the competition there was still about 7 hours left. To play the game developed in the competition and to come out on top, with an advantage of 10 votes, seemed silly. Once to wind, so to wind !!! I thought, and turned it on at maximum speed. After some time, I started the wrapping from another machine with a different IP. After about half an hour I caught up with the results of the “leaders”. At this point, the administration nevertheless woke up and made the first correct decision in this story, namely, it turned off the ability to view the results. After another 3 hours, when according to my calculations I should have had about 5-6 thousand votes, the vote was still stopped. The official reason they later voiced through their twitter was inconsistencies in voting practice.
The next day they actually announced a new competition, which now consists in simply stupidly writing a specific message on Twitter, and the winner will be randomly selected from those who wrote. Of course, I wrote a message, but I have practically no interest in this contest. You can also participate, by the way, if you want - http://friendsaround.me/contest (if you win, you will need an address in the USA where to deliver the prize - if you write anything, I can help with this).
In the end, one of the organizers answered my question why it was so difficult to think up the protection against markups in advance, replied on Twitter that they simply didn’t quite branch off for the preparation of the competition ... Well, we hope that at least they will launch their startup more seriously ...
UPD: By the way, I still haven’t figured out why the third and subsequent requests in my cheat only took place with Fiddler turned on, I would be grateful if someone could tell me the reason ...