How much secure can $5000 be?



  •  So there was this post i received by someone in the 'vote for me' form for a website granting $5000 to the winner of a silverlight coding contest, you just had to register with fake details (no email validation or verification) and vote. Fair game, ask your friend to vote. Then there was this second post "did someone notice that when you give half a star, you can again vote half a star and another.... can be interresting tu bury opponent" Just took a look at the wire (shark) and saw the ajax voting url, change it. Now you can also vote as many time as you want, for as many time as you which, looking like any user you want. Just change the url parameter. And you can give minus hundred stars (in the range 0-5) to participants.

     Go on, have a nice wtf 10 days (contest voting ends 14 may):

    http://www.serverquestcontest.com/index.aspx

     

    i bet the $5000 winner will be to most cheater one :D

     

    PS: discovering the urls is left as a simple exercice to reader :D

    PPS: there is also a way to get a few lines of the server side code



  •  Uhhh... you might want to try passing this through babelfish again with the output language set to "English" instead of "vaguely Englishy".



  • So
    I received this post from someone in the form of a "vote for me" on a
    website offering $ 5,000 to the winner of a programming silverlight.
    You just register on the website with false details (no email
    verification or validation) and vote. An honest game where you ask your
    friends also to vote for you. Then there was this second message you
    evez that if we put 1 / 2 star, we can vote again? And yet? Much? It
    could be interesting to bury opponents. So I cast an eye on the line
    (with wireshark) and given the ajax request. In fact, you can vote as
    many times as you want, you pretending to any other user of the system,
    and you can give ratings from blithely months until 100 stars (on a
    scale of 1 to 5) participants.


    therefore you will enjoy 10 days remaining to the souk.



    http://www.serverquestcontest.com/index.aspx



     



    I guess the winner of $ 5000 is assumed to be the one who cheats the most.



     



    PS: Discover the urls is left as an exercise: D



    PPS: It is also possible to obtain a part of the code server

     

     

    I feel ashamed. It does, indeed, seems more readable :/

     

     (i am out, trying to find a tree for my rope)



  •  ok, no tree left for me.

     

    What i just wanted to tell is, there is coding contest with $5000 to win. You ask visitor to vote after registration.

    • Will you check registration?  No
    • Will you restrain registrant from voting twice for same participant? No of course
    • Will  you check that values submitted by browser is indeed in the range [0-5]  (0 to five start)? No need to do that

    It's not like somebody would try to trick your server for only $5000 , is it?

    So like i said, i suppose they want the participant that cheats the most win their 5000$ contest, and if they do secure their silverlight technology like they secure their website, i fear the beasts that we will see coming out in the next few months / years

     



  • Here's another WTF: I went to that site with FF3.0.10/Win32, clicked on a game and nothing happened. I'm pretty sure I don't have Silverlight, but it didn't warn me, it didn't tell me that I should go somewhere to get it... I just had a page with a big, black box, with a line of blue text in it. I'm clearly not going to bother to find out the WTF with that one, but something seems awfully wrong.

    PS: I had Adblock Plus installed but disabled.



  • So all I need now is a bot net and I win $5000. Sweet. Hey anyone want to download this screensaver I made?



  • @DOA said:

    all I need now is a bot net

    I'm not familiar with with Silverlight, but couldn't you just have your submission do the voting/cheating on its own? To me, that'd be a lot easier than tricking people into joining a botnet, AND it would work on all platforms that support Silverlight.



  • @AltSysrq said:

    @DOA said:

    all I need now is a bot net

    I'm not familiar with with Silverlight, but couldn't you just have your submission do the voting/cheating on its own? To me, that'd be a lot easier than tricking people into joining a botnet, AND it would work on all platforms that support Silverlight.

    Plugin's security model only allows it to establish connections to its own domain.


  • @alegr said:

    @AltSysrq said:

    @DOA said:

    all I need now is a bot net

    I'm not familiar with with Silverlight, but couldn't you just have your submission do the voting/cheating on its own? To me, that'd be a lot easier than tricking people into joining a botnet, AND it would work on all platforms that support Silverlight.

    Plugin's security model only allows it to establish connections to its own domain.
     

    Which actually is the same as the one serving the contest content. The only drawback is that submission was closed before the poll was started :)

    Could have been a very funny cheating way. Now your only solution to get money is to contact a contest participant and ask him if he wants to go fifty / fifty  with you, i guess.



  • If you look at the rules, it's not so easy to cheat as it seems. It's still stupid the way they have implemented security.

    WINNER SELECTION / JUDGING CRITERIA

    Following the close of the Entry Period, all eligible entries will
    be reviewed by a panel of judges based on the criteria below and up to
    eighteen [18] entries will be selected as finalists.

    • [50 %] best overall use of Silverlight
    • [50 %] number of Silverlight features

    Following the selection of finalists, finalist entries will be
    posted online at www.serverquestcontest.com and site visitors will be
    invited to view and rate each finalist entry during the Voting Period.
    Visitors are limited to one vote /rating per person per finalist entry.
    No mechanical our automated method of voting is permitted. Microsoft
    reserves the right to disqualify any votes that are in excess of the
    voting limit or that are suspected to be created by a mechanical (e.g.
    "bot") or other automated voting method.

    Following the Voting Period, a judging committee will re-review all
    finalist entries and will select three [3] winners based on the
    following criteria:

    • [40 %] best overall use of Silverlight
    • [40 %] number of Silverlight features
    • [20 %] a combination of how many people viewed the game and how highly they rated the game

    In the event of a tie for any place, all tied entries will be
    reviewed by a separate judging panel that will break the tie. If we do
    not receive a sufficient number of entries that, in the judge's
    opinion, meet minimum quality standards, we may, at our discretion,
    select fewer than the designated number of winners. The decisions of
    the judges are final and binding in all matters related to the Contest.




Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.