Nov

24

AskBwog: Can You Hack the ROTC Survey?

Written by

A tech-savvy commenter speculated that after “clearing their cookies” (a term we’ll define for the computer illiterate in just a minute), voters can change their personal survey ID number to someone else’s, which in theory would mean that anyone would be able to vote multiple times. 

Bwog’s on-call computer whiz kids Hans E Hyttinen and Anish Bramhandkar explain why this is actually possible, but relatively unlikely:

Hans: Once you access the survey page, a cookie is created on your computer that stores a bit of information, probably indicating whether or not you have completed the survey, so that the next time you visit that URL, it can let you resume your survey (try this by clicking on your link, but closing the page without voting and then reopening the page). I don’t think clearing the cookie would do anything of consequence.

If you do change the ID number in the URL, it looks like you can vote again on that ID, just like you can vote again on your ID. It’s very stupid that there is no confirmation message or “sorry, you have already voted” message.

However, everyone is given a unique identifier (in the “WEM=” part of the URL) that you’d be hard pressed to just guess. So no, I don’t think you can actually change someone’s vote.

Anish:  Perhaps they’re tracking by IP address?  Perhaps preventing subsequent votes that aren’t from the same IP.  Columbia IPs are dynamic, but most people are connected constantly enough that they don’t change.

I doubt that they’re doing either of these, but the ID number in the survey URL is so long that you’d be hard-pressed to find someone else’s legit ID.

Still, minutes later, one Bwog staffer tested it out and “changed one of the numbers and got a different working link. Clearing cookies was necessary, though. When I went back and clicked my own link, I had my own displayed.”

Tags: , , ,

23 Comments

  1. ...  

    And thanks to Google Chrome's incognito mode, which doesn't store cookies....

  2. ccit  

    is officially retarded

  3. ccit  

    welcome to bureaucracy. ccit does exist, in the hamilton basement.

  4. Can you trust this?

    If it's that easy to cheat? Is the USenate really going to listen to a vote that can be hacked this easily? It's worse than Florida in 2000.

  5. Duh

    you should have to log in to vote so everyone could only vote once. Duh, CCIT.

    • wait

      what's that? you want different parts of the fractured bureaucracy to work together to create a survey based on the preexisting WIND login structure (i.e. using your UNI)?

      Nooooo, that's crazy talk man!

  6. Ridiculous  

    This is ridiculous! We already pay-out tuition, register for classes, and pick housing on-line! How hard is it to make a secure one question survey?

  7. Bwog Experts  

    I voted in the computer room at Lerner. If someone else tries to vote on the survey using the same computer as I did, will it override my vote?

  8. hahaha  

    hilarious.

    probably not ccit's fault. i'd prefer to blame the councils.

  9. what about  

    my phone? I was able to take it twice...shame on me.

  10. wondering

    How easy would have it been to repurpose the Council elections voting system for this survey?

  11. I am expecting...  

    No less than a 150% voter turnout for the survey now.

  12. Who  

    on the councils thought letting CCIT do something this dumb was a good idea?

    Why not just do stuff the way we do elections?

  13. actually  

    i'm expecting a 5 percent turnout since everyone will have used the same link.

  14. The councils  

    chose to use surveysays without consulting CCIT. They were the ones dumb enough to choose a poll system without WIND authentication.

  15. ...  

    i was able to pull up a survey page and vote without an identification url token or cookie. whether or not this means anything (the vote will probably just show up as unassociated with an identifier, and if they're smart, they'll toss votes without identifiers) is hard to say...

    however, it is somewhat apparent that the software they chose to use wasn't specifically designed with a "trusted voting" usecase in mind.

  16. well  

    you can't spell CommUnIsT without CUIT

    and for the old farts, you can't spell fACISt without acis :)

© 2006-2015 Blue and White Publishing Inc.