This Year’s Triple J Hottest 100 Was Totally Hackable

A little while back me and a group of friends in Brisbane found a way to predict the results of Triple J’s 2012 Hottest 100 music poll. By scanning thousands of Twitter posts and collating around 3 percent of the total votes, we were able to predict 92 of the 100 songs in last year’s countdown, and 85 out of 100 using Instagram posts this year’s poll. Which is pretty cool if you’re a person who cares what Australia thinks is a good song—or someone who’s interested in betting actual money on it.

In the lead up to this years poll, someone got in touch with me who wanted to take our original project to the next level. He wanted to hack the whole thing. Here’s how he intended to do it.

For starters, let's give some context on messing with online votes. TIME Magazine’s online Person Of The Year polls have been a bit of a joke for a few years. In 2009 internet image board community 4chan voted in the site’s founder Christopher “moot” Poole to the top spot. In 2012, a small group of hackers spamming fake votes got North Korean leader Kim Jong Un to number one while spelling out “KJU GAS CHAMBERS” with the top positions.

You’d wonder why TIME’s editors would think anything different would happen when they launched the poll in 2013. That one kicked off with 4chan’s community racing to crown NSA whistleblower Edward Snowden, competing against a couple of programmers by the names Gains and Marek championing Miley Cyrus as their number one pick.

Gains and Marek used a loophole they discovered in TIME’s voting system that allowed them to place a vote on behalf of any Facebook user without the user’s permission, and wrote up some code to automate the casting of fake votes. TIME had added the Facebook login feature to the poll in 2013 to try and restrict votes to just one per person.

The 4chan community relied more on strength in numbers to push Snowden to the top of the poll, with one member calling on others to manually sign up for Twitter accounts using disposable email addresses via 10MinuteEmail.com and using the distributed online anonymity network TOR to hide their identity.

TIME eventually closed the loophole, but not before the Syrian Electronic Army did their best to bring down the poll, managing to hack into TIME’s Twitter account, posting “'Syrian Electronic Army' was here via @Official_SEA16.. Next time write a better word about the Syrian president #SEA.”

I wasn’t surprised when software engineer Matt Way reached out to me, saying he thought it would be possible to submit fake votes to the Hottest 100, an idea he had been mulling over for a while, both as a technical challenge, and to see if it was possible to fake a song to the top spot and cash in on a bet. The odds for some of the songs that were likely to appear in the countdown’s top 10 were well over 50 to 1.

Matt told me about what was needed to bypass Triple J’s security measures while he got to work coding using a JavaScript platform called NodeJS.

“I placed a vote on my own, and it was a bit of a reverse engineering process to figure out that it wouldn’t be too hard to automate.”

Triple J’s voting platform was pretty simple, users had to enter a name, an email address, and select up to 10 songs to vote for from a list. Voters then had to click on a link in a verification email to prove they were human.

The goal was to make the fake votes he was submitting look as human as possible using Fake Name Generator to create a list of Australian sounding names, and a Virtual Private Network (VPN) service called Hide My Ass to conceal the origin of each vote. He made short work of Triple J’s email verification security by purchasing bulk hotmail accounts at a cost of $12 per 1,000 addresses, and coded a solution to automatically check each address for the verification link after the vote has been placed.

“So first we grab a new IP address (online identity), and simulate entering a vote through a headless browser process, simulating a person filling out their details and submitting the voting form. Then we just check the Hotmail address for the confirmation link, to verify the vote. Then the process restarts again.”

Matt ran out of time before voting closed to get his code submitting enough votes to have an impact, but he assured me that with a little more time it would be possible to manipulate the poll.

It’s interesting that Triple J didn’t even include a captcha (those annoying distorted letters and numbers you have to fill out), one of the most common tests to differentiate humans from computers, in the voting process. But even these can be bypassed. “The two options are either a technical solution that tries to decode the captcha. In fact, most captchas out there have no scientific reasoning behind what makes them hard for computers to break.” The second option is to outsource the captchas to an army of low-wage captcha solvers. A quick Google search will turn up hundreds of services offering captcha solving. Both methods will cost you just a fraction of a cent per captcha solved.

Even mobile phone verification, receiving a text message with a code that needs to be entered into an online form to confirm your identity, can be bypassed. Countless free and paid SMS receiving services exist that will loan you a temporary phone number from any number of countries to receive your verification text.

Matt explains that with enough effort almost any online voting system or form can be automated. “Online political voting would be a big one, if it were ever to happen, and that’s probably what’s holding it back. There are a ton of security issues that need to be solved first.” The Queensland Parliament e-petitions website uses little more than an extremely basic captcha-like verification tool that Matt tells me would be easily automated.

“Social manipulation could be possible by creating a large number of online identities and using them to act against a particular person or brand by generating fake “Likes” comments or shares. You could potentially even manipulate the stock market with the same means by attempting to trick trading algorithms that use signals from social media.”

“Essentially, you’re able to leverage technology to become a population, rather than a single person.”

@nickdrewe