4chan members carry out a precision hack of Time 100 poll

The "Time 100" is the magazine's attempt to let readers build a definitive list of the 100 most influential people in government, science, technology and the arts. That is, until a group of 4chan members got involved.

Thanks to a poorly configured Web polling application, this year's crowdsourced list was inundated with fake votes in order to display a mysterious message. Blogger Paul Lamere was given an insider's explanation of the hack, and describes how Time never really had a chance:

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

In early stages of the poll, Time.com didn't have any authentication or validation - the door was wide open to any client that wanted to stuff the ballot box.

Soon afterward, it was discovered that the Time.com Poll didn't even range check its parameters to ensure that the ratings fell within the 1 to 100 range. The autovoters were adapted to take advantage of this loophole, which resulted in the Time.com poll showing moot with a 300% rating, while all other candidates had ratings far below zero.

Shortly afterward, one of the members discovered that the 'salt', the key to authenticating requests, was poorly hidden in Time.com's voting flash application and could be extracted.

Another challenge faced by the autovoters was that if you voted for the same person more often than once every 13 seconds, your IP would be banned from voting. However, it was noticed that you could cycle through votes for other candidates during those 13 seconds. The autovoters quickly adapted.

The hackers didn't just rig the top result, or the top 10. They arranged the top 21 winners so that the first letters of their names spelled out "MARBLECAKE, ALSO THE GAME." Result No. 1 was "moot," the pseudonym of Christopher Poole, operator of the not-at-all-safe-for-work imageboard 4chan.

Lamere says his pseudonymous contacts within the 4chan community said "the hack is the work of a dozen or so, backed by an army of a thousand who downloaded and ran the autovoters and also backed by an untold number of others that unwittingly fell prey to the spam url autovoters."

In the days since the hack was revealed, the "Marble Cake" message has gradually started to become scrambled in the results, but no matter: The list is still based on an untold number of bogus votes, and cannot be treated as an accurate gauge of the public's opinion. We contacted Time for comment, but a promised explanation from Time's editorial department never materialized.

As for 4chan, why would members bother scrambling the online poll of a frumpy news mag? There is no why. They did it for the lulz.

This story, "4chan members carry out a precision hack of Time 100 poll" was originally published by The Industry Standard.