Six months ago, the Producer of one of the largest reality TV shows in India called me frantically. “We have heard that you do some work in website security” he said. “We are seeing some strange activity on our online voting system. We would like you to have a look at it.” A few hours later, I was seated in a small room in the office of the TV studio. The producer had brought me into the room as an “IT consultant”, lest my real mission be known to others in the office. After a cup of customary tea, he explained the situation to me. The format was simple. There were a bunch of contestants in the endurance-oriented reality show. The voting process was pretty standard. The audience could vote using SMS or the online voting system.
At the end of each week, the anchor, based on the number of votes, would vote out a contestant from the show. The winning contestant would receive multiple prizes (car, cash, apartment, etc). The show was a big deal with millions of dollars (crores of rupees) riding on it. The show’s format was foreign, hence its governance, voting and audit systems were foreign. They had been licensed for an Indian audience. The TV Studio didn’t have any details related to the votes. The online voting system was an extremely popular survey management app used by several large corporations. Every week, a third party audit company would download the results from the online app. The results would be filtered based on the IP Address. There could be 100 votes per IP address (as India has mostly dynamic IPs from ISPs) and votes from IPs outside india or beyond a 100 would be disregarded.
The Producer suspected that someone had been rigging votes for a particular candidate through the online system. He didn’t know how and they (or the audit company) didn’t possess the knowledge of how they could investigate a possible misuse of the online voting system. Our job was this. We needed to find a way in which someone could manipulate the online voting system to cause a fraud in the system. We didn’t have access to the audit firm or the TV Studio.
There were some problems. The online voting system was extremely popular. It was being used by millions of companies small and large, all around the globe. Surely, we thought, they would have addressed any issue that could result in manipulation of voting or survey results. After some research we used a simple, yet highly effective technique that we used to bypass the voting system and stuff votes for a particular candidate. The technique was as follows:
The online voting system was an ASP.NET application. So, our first job was to write a scraper that would automate the user’s voting process. Now, for those who have written scrapers for ASP.NET would know that you would need to scrape each page of the process owing to the ViewSource and Event Validation parameters along with other hidden parameters like a CSRF Token. For that we used the python’s trust requests library. To parse the HTML, we used BeautifulSoup4.
The next challenge was to actually “rig the vote”. We had to simulate requests from a bunch of IP-addresses (from India, mind you) and post them to the online voting app and we could only use 100 votes per IP Address. If we had to make a dent in the voting for this reality show, we needed millions of votes, which consequently meant, thousands of IP Addresses.
We achieved this with a little known HTTP header called ‘X-Forwarded-For’ (XFF). XFF is a header that is used to identify the originating IP from a client to a web server when accessed through a proxy or load balancer. What we did was that we loaded Indian IP ranges into a python program, ran them on a loop in our scraper, set that IP Address (spoofed) as the IP for the XFF Header and blasted the online voting system (multi-threaded python program ;)
snipped HTTP header URL
Within minutes the Producer called me to say that the votes on the voting system had suddenly spiked. We verified the IP addresses to ensure that they were from our “vote rigger” and successfully demonstrated, how we were able to hack a major Reality TV Show with nothing more than the HTTP protocol.