Wednesday, June 19, 2013

"Prominent Political TV Host" Poll Center

I'm surprised this trick still works, I bothered them with it like a year ago, and it works as of a few days ago. In fairness, the site has a disclaimer that says "These polls are not scientific. Only one count is counted per visitor".  This turns out not to be the case. Anyway, in my usual style, it's simple JavaScript edits with a few goals in mind for the poll center of this site:

 To Do:

 1. Sway the results of closed archived polls
2. Make the poll results add up to less than 100%
3. View the results of a poll before it is aired on the show

You can see this as a product of poor data sensitization. Messing with FireBug Firefox extension causes permanent data changes on the server that no one seems to notice or care about. So if you're a developer, may this be a lesson you never have to learn in production - sanitize input on client side and server side.

1. Change archived poll results

Simply change loadArchivePoll to loadPoll. That's it.

<div class="Pollwrap">
              <div style="padding: 5px; cursor:pointer; border-bottom: 1px solid #cccccc;" class="pollArchiveItemOff" id="pollArchiveItem0_0" onmouseover="" onmouseout="changeBackgroundClassArchivePoll('0','0', 'Off');" onclick="loadArchivePoll('0','9337','0');"><span style="display:block;">Make a prediction - will Attorney General Eric Holder resign?<br>May 30, 2013</span></div>
</div>
 



2. Polls that add up to less than 100% 

This effect can be easy triggered. If the radio button's value  attribute is edited to something not in the given values in the multiple choice survey, it won't be counted.

<input type="radio" value="Fake value." name="surveyAnswer">

3. View the results first

Okay, I'm leaving this one as an exercise for you! Trust me, it's as trivial as the other two hacks. Hint: take a poll legitimately, and figure out where the form takes you to view the results.



Posted by at No comments:
Labels:

Tuesday, June 18, 2013

Client Side (Instead of the Dark Side)

It's astonishing how much power there is in simply looking/editing web page source! Possibly anything more seems to get you on the news, so you can stay on the bright side: the client side. Granted, it depends on the contest or website, I guess, but every once in a while you get a gem like this:
answersTxt[3] = "<div id=\"answer-input-3\" class=\"answer-result \"><span></span></div>"; 

answersImg[4] = "<div id=\"answer-final-4\" class=\"contest-answer result hasImage\"><img src=\"/sites/files/bottle.jpg\" alt=\"Picture4\" /></div>"; 

Yes, there's an array called answersTxt[] and answersImg[].

This was a matching game where pictures were matched to text. The administrators have remediated this... they have started hashing the names of the pictures to avoid future shenanigans.
Posted by at No comments:
Labels:

Where Did Wiki Scanner Go?

A guy named Virgil in early 2000's created a scandalous project called WikiScanner. All it does it look at anonymous Wiki edits for a certain ip ranges to figure out what companies were editing their own Wikipedia pages (obviously the ip addresses were cross referenced against a whois or something).

It doesn't seem to exist anymore. It got taken down I think. All I found is a bad quality copycat with injectable debugging statements:

Table 'wikiscanneres_wiki.org3' doesn't exist
SELECT name, ip_from from org3 where '2433878598' between ip_from and ip_to order by ip_from DESC limit 1

Yikes, TMI, error code...

Anyway, this is easy to replicate yourself using the Requests library in Python. Get a sample of the IP of the network you'd like to know more about, and take a walk around the "block":

(where xxx.xx.xx.xxx is the IP)

 for i in range (0,256):
        r = requests.get('http://en.wikipedia.org/wiki/Special:Contributions/xxx.xx.xx.' + str(i))

 Refine the crawler to look for related articles, with key words that are relative to your interest.
Posted by at No comments:
Labels:

FB's Creepy Friend-Suggest:

Automatically Lists All Friends of a Contact

Consider a Facebook account created with a gmail account with only one contact. Despite settings to keep the friends list private, this new account will get friend suggestions for all of the contact's friends, assuming the contact's email has a Facebook account.

More testing is needed to see if the suggestions still happen if the contact has a private profile and wishes the names of friends to not be visible to the public.



Posted by at No comments:

Premium Content Control



Most news sites display their premium content briefly in the browser before snatching it away again, allowing enough time for the user to stop the page from loading and view the full article.

Some (i.e. WSJ) deliberately offer a "first click is free" deal where content is viewable if the site is reached by clicking a news Google result.
Exhibit A from page source:
<!--added for registration bypass2 October 3,2002-->
Then where content is not available, we have this tag (as well as scripts for no-content instead of content):

<meta name="GOOGLEBOT" content="unavailable_after: 17-Jun-2014 21:49:00 EDT" />

A blog post from 2009 mentioned that this has a limit of 5 articles, but it's not true. As long as you can search for the link location of the article it will work.

How this came about: I very much like the WSJ, but I am annoyed when LinkedIn news posts are blocked because they have linked to their premium content.
Posted by at No comments:
Subscribe to: Posts (Atom)