How to Own Star Search

by StankDawg  (StankDawg@stankdawg.com)

I watch my share of television.

I watch a lot of sports and a few specific shows that I follow regularly, but that is about it.  One thing that I do, like most Americans, is channel-hop.  I jump through the channels at light speed as though there was something on another channel that I was missing.  Sometimes you find some interesting shows this way.  Sometimes you find some garbage.

Well, I happened to find a little bit of both in the form of a show called Star Search.

Now if you are not familiar with this program, let me give a quick overview and some background.

First of all, I was surprised to see that this show was even on the air again.  I remember Star Search from when I was a kid and Ed McMahon was the host sometime back in the 1980s.  Apparently it has been revived, but this time it's hosted by Arsenio Hall.  It is still a talent show with judges choosing who stays and who goes, and it is still a big prime time name.

But that is not the interesting part.

The reason that I stopped was because I heard the phrase "home audience vote."  My ears perked up.  What do we have here?  I can vote from home?  How can this be?  What method have they established to allow people to vote from home?  These questions made me put down my remote control.  I have yet to see any kind of voting system that wasn't fundamentally flawed.  I wanted to see if they had discovered the holy grail.  As it turns out, they had not.

It seems that I stumbled onto the season finale of the third season.

Apparently during the regular season there are judges who vote for the winners.  In the season finale, the home audience votes for the winners.

So I figured out that after the contestants sing or dance or juggle monkeys while blindfolded (I don't know what they do, I just wanted to see how the voting worked) the show would go into commercial break.  During this commercial break, the viewers at home would go to the "interweb" and go to www.cbs.com/primetime/star_search4 where they would see a list of the contestants to vote for.

Now here are the logistics of it: First of all, if you go to the site and try to vote before the performers are finished, you get a message saying that you have to wait until the contestants are all finished before you can vote.  I mean you cannot vote for monkey-juggler #1 if monkey-juggler #2 has not had his or her fair shot at displaying their monkey juggling skills.  So after all of the contestants are done, they open the polls and allow people to connect and vote.  And vote I did!

The poll is very straightforward.

Each contest has a number from 1 to 5: 5 being the best and 1 being the worst.

You must vote for all three contestants and click on the button to cast your vote.  O.K., I voted, but I think I may have made a mistake.  I want to go back and look at it again.  Well, the page allows me to vote again!  I am not limited to one vote.

I looked at the rules of Star Search and I didn't see anything that told me that I could only vote once.  And since it gave me a blank form again, I assumed you were allowed to vote more than once.

American Idol lets you call as many times as you want, so this must be the same.  Well, I made my choices again but this time instead of clicking on the button to submit my vote, I decided to look at the code to see if they had some way of rejecting a second vote from someone.  Was a flag set that kept me from voting again or kept my vote from being counted again?  Maybe it was sent to the "garbage file" if I voted more than once from my IP address.

Either way, what I found was very interesting.  So interesting in fact, that I sent an email to CBS warning them that they had a potentially serious security hole in their system.

I waited a few days for some sort of response from them.  I gave my real email address and told them that I would be glad to explain the details to their security officer or webmaster.  I got nothing.  O.K., I thought, maybe they don't want to contact me or don't have the time to contact me.  I will be nice and send them the code and show the potential problem.

I looked all over the CBS web site and tried to find an email address for a security officer or someone directly related with Star Search.  I found nothing (go look yourself).  So I guessed and sent emails to every potentially monitored address @cbs.com that I could think of including: security, webmaster, root, cbs, shows, and starsearch.  I got nothing in response except for bounce messages.

Long story short: I tried unsuccessfully on seven different occasions over the course of six months to report this problem.

The last notice I sent to them was that I was going to release it to the public.  I tried to do the right thing and notify them, but they didn't seem to care.  Hopefully, they will see it and fix it this time.  Maybe they have a fail-safe in place on the server side that rejects multiple votes from the same IP address so they just decided not to waste their time with me.

Regardless, after this amount of time, season four was almost over and the finale was upon us and I could verify my theories discovered at the end of season three.

The prize for the winner of this show was $100,000.  Obviously they would have a special voting system for something this serious, right?  Wrong!

A little research revealed that the system they use for this prime time show worth hundreds of thousands of dollars was the same engine that they used for every other poll on the site.  A little trial and error and URL manipulation revealed that they use the same script for the "What is your favorite episode of Cheers" poll.  It was like some common PHP content management system.  The only thing that separates them is the event_id.

The "poll" engine receives parameters passed into to it from the calling page.

It looks like it was written to be overloaded.  I presume this after looking at other polls on the site that use that same engine.  You can pass named parameters to it (event_id, q1, q2, etc.) or positional parameters to it in some cases (results page ID, results window coordinates, etc.).

In the case of Star Search, it was a very straightforward URL that was created with a very simple parameter string.

The code below is a snippet of the code from the Star Search page that calls the poll.  I only included the relevant part below:

<!-- --------------------------------------------- --> <!-- begin code (Generic page HTML was above this) --> <!-- --------------------------------------------- --> <script language="javascript"> function goVote() { var vID1 = 0; var vID2 = 0; var vID3 = 0; var vote1 = document.voteForm.q1; var vote2 = document.voteForm.q2; var vote3 = document.voteForm.q3; for (var i = 0; i < vote1.length; i++) { if (vote1[i].checked) {vID1 = vote1[i].value};} for (var i = 0; i < vote1.length; i++) { if (vote2[i].checked) {vID2 = vote2[i].value};} for (var i = 0; i < vote1.length; i++) { if (vote3[i].checked) {vID3 = vote3[i].value};} if (vID1 == 0 || vID2 == 0 || vID3 == 0) { alert('You must vote for every contestant');} else (document.location = "http://poll.cbs.com/poll?event_id=18002&q1="+vID1+"&q2="+vID2+"&q3="+vID3; } } <!-- --------------------------------------------------- --> <!-- end code (the rest of the page HTML was below this) --> <!-- --------------------------------------------------- -->

Now the first thing you see is that the code is obviously JavaScript.

This runs on the client side and therefore the code is delivered to the client embedded in the HTML of the page.  This is what you are seeing above with the irrelevant HTML removed.

I also cleaned up their code for them to make it more readable.  You still cannot see everything that is needed to make this script work, but you can see enough to see how it works.

The document.location is the URL that calls to the poll engine.  The JavaScript is used to assign values to the variables that are passed to said engine.

The user will click on a number from 1 to 5 for contestant #1 as described earlier and that amount is assigned to the working storage variable called vID1.

This is done for the other two contestants the same way.  These three variables contain the values of the votes that were chosen.

These values are then passed to the variables that are used by the actual poll engine that is being called.

The value of vID1 for example, is assigned to q1 in the document.location string along with vID2 to q2, and vID3 to q3.

The poll takes these values and adds them to the results database.  The question is: Which database?

The other parameter or field name in the document.location URL is called event_id which I mentioned briefly above.  This event_id is the primary key to the database.  It tells the engine where to save the data and what type of data to expect.  If you got to the page early, there has been no key assigned, so you cannot vote for a poll that does not exist.

The only form of security for the Star Search voting system is the fact that the event_id is not made available until the contestants are finished performing!

I even tried a little guesswork to try and predict the event_id that would be used.  This achieved varying levels of success.

Since the poll system is used for other things in the system, it did not do a simple increment of the value for event_id.  I watched the show until the voting was opened and once the key was assigned, I could then see it in the code.

The code above was copied after the event_id was made available.

O.K., what does this all mean?

It means that I now have the exact URL to make the function call for a vote to the poll system.

So what?

Well, that means I can paste this direct URL into the browser and basically call that poll function over and over by holding down enter and visiting it as many times as I can during that commercial break!

Without going into detail, I came up with about 1000.  You don't have to wait for the results page to register the vote, just a call to the function will do it!

It will work by sending data only to submit your vote.

Receiving data or a verification message is not necessary.  There does not appear to be any return validation.

So there you go!

You have figured out a way to vote for your favorite contestant hundreds or thousands of times (depending on your bandwidth).

But wait, surely a thousand votes cannot affect the outcome, can it?  Probably not, but what if you had a bunch of other people doing it at the same time?  And each vote, mathematically, can perform triple-duty due to the nature of the system.  Not only are you giving a high score to the contestant you like, you are also sending low scores to the other contestants!

Talk about killing two birds with one stone!

1000 votes for contestant 1 is also 1000 votes against contestants 2 and 3!  3000 votes for the price of 1000!  That's brilliant design at work right there!

We still aren't done.

Even the effects of 3000 votes are probably not enough to make any sort of large impact.  Cutting and pasting and holding down the Enter key is just so low-tech.  I am sure the readers have already spotted a better way to make this more effective.  It's script time!

Now, I am not going to give the code for a script here.  It is very simplistic and, to be honest, I still took the lazy way out.  We hard-coded the event_id into a script when the more precise and flexible way would have been to parse through the HTML and look for the string event_id= and pull the event_id out.

That would make the script reusable.  But that was not my goal with this test.  I just wanted to see if it would work.

If one person sitting at a computer holding the Enter key can send around 1000 requests, imagine what would happen if someone opened up 50 threads and a never-ending loop of function calls to the desired URL?  That is still just from one person.  What if you then passed that script on to your friends to do this at the same time from their machines?

What if we went beyond friends and put it into a CGI script or a Perl script and posted it on websites around the world?  Pretty scary, huh?

So we have 50 threads generating 1000 hits each (during the voting window) multiplied by the number of users running the scripts... account for the three-votes-for-the-price-of-one factor... carry the one... well, you can do the math.  Suffice it to say that this would most certainly affect the outcome of the show.

CBS and Star Search did do one thing right.

They covered themselves legally with this disclaimer that I am sure their lawyers made them include.

It states that:

"CBS reserves all rights in connection with Star Search and the Star Search online voting process, including, without limitation, the right to disregard any or all online votes in the event of technical complications."

This will allow them to reject any invalid votes.

The real question is that after seeing their lack of security and their lack of contact people, what makes us think they would be able to know and recognize invalid votes?

If they had this kind of foresight, the vulnerability wouldn't exist in the system in the first place.

ShoutZ: vooduhal for helping with the last minute surprise "testing" and proof of concept script.  To Epiphany and Johny_lightning for the NYC hookups for zer0Db and me.  All of my friends on the global "interweb" including those crazy phreaks on default radio.  My homeboys Acidus and lucky225, and as always, the Digital DawgPound.