How to batch vote on PollDaddy (Mac OS X) Hack Well I decided to try to make a way to do batch votes on PollDaddy. It was actually pretty easy once you play around with FireBug a little bit to find the necessary fields.
This post will show you a “proof-of-concept” on how to hack polldaddy polls for unlimited and automated votes Requirements:. Polldaddy Poll URL (ex. Poll answer you want to use (ex. PDIanswer33136443).
![Polldaddy Polldaddy](http://dynobin.com/blog/wp-content/uploads/2013/10/PolldaddyHackV2_preview.png)
Java installed in your system. This Java program To obtain the Poll URL you must have a browser that has a DOM inspector OR that allows you to install firefug extension on it. Assuming you have “FIREFOX” install firebug from this Once that is installed go to where the poll is (ex. Bottom of this post). Right-Click the poll and select “Inspect Element with Firebug” Ctrl-F to find the URL in the noscript tag, search for “Now point your browser to the URL you’ve just obtained To get the Answer ID, Right-Click on the desired answer(radio-button) and again select “Inspect Element with Firebug” It should take you to the DOM representation of this element.
Copy the answer id attribute that starts with “PDI” Ok great we now have everything. Poll URL: Poll answer: PDIanswer33136442 Our last step is to use these values to submit votes to the poll. Make sure you have downloaded the program from the above requirements (zip file containing one jar file). Extract this jar file and put it in any folder.
Depending on your OS this next step will vary: FOR WINDOWS: Open Command Prompt (CMD+RUN type cmd+ENTER). Navigate to where the jar file is located. OR Shift-Right-Click where the jar is and select “Open command window Here”. FOR LINUX: You probably know how to get to the jar file 🙂 FOR MAC: Not helping you Ok, now to run this jar file use the following command. Java -jar PolldaddyHack.jar arg0,arg1,arg2,arg3 Arguments explanation:. arg0: is for Polldaddy Poll URL,. arg1: Poll answer id,.
arg2: Amount of votes you will like to submit,. arg3(optional): In case poll has been setup for IP BLOCK you can add a proxy-list for multiple IP vote submission. Example command WITHOUT proxy list: java -jar PolldaddyHack.jar 'PDIanswer33136442' '5' WITH proxy list: java -jar PolldaddyHack.jar 'PDIanswer33136442' 'proxies.txt' '5' Proxy list requirements: Each proxy IP must be in one line and contain connection port union by colon. 41.226.11.117:3128 Dependencies have been already packaged into JAR file, for limiting purposes the program puts a 10 second delay between votes to prevent polldaddy from blocking you. polldaddy poll=7300120.
Francisco, thanks for your patience with me. I’m not exactly sure how a text file with proxies works in your Polldaddy hack java program. You wrote that if we want to include the proxy text file, it would look like this in the command line: ““PDIanswer33136442” “proxies.txt” “5” So using your example of made up proxies 41.226.11.117:3128 82.36.69.589:1111 98.158.3.349:8888 where do they actually go? I create a text file with them in it one proxy per line and “save” the text file right? So, in the command line, do I put the actual text, “proxies.txt” into the command line?
I’m not sure how/what/where to put the proxy list. It will still not work, this is how it works. The cookie restriction is just there so that if you visit the page again it will tell you “Your vote has been counted” and won’t let you vote again, if you remove the cookie you will be able to vote again. In my program I’ve disabled/clear all cookies so it shouldn’t matter. On polldaddys side they check each vote and RECORD them to their DB if they notice that the difference in time between each vote is too short they will completely disallow all votes coming from your IP.
Hi Francisco and thank-you for the cool tool! I am having an issue however, an error similar to the user who was improperly using the PDIvote parameter. Here is what I am getting for an error: PolldaddyHack v0.1 by flopex – DynoBin.com/blog com.gargoylesoftware.htmlunit.ElementNotFoundException: elementName=.
attributeName=id attributeValue=PDIanswer35433517 This is the exact command I am running, except I’ve obfuscated the poll ID: java -jar PollDaddyHack.jar ““PDIanswer35433517” “1” Any advice is appreciated! The poll does use a CAPTCHA mechanism as well, not sure if you support that! Edit: Don’t think it should matter but I am running Windows 64-bit. Go here: Then scroll down until you see the table of proxies and ports You then open notepad on your computer Then you copy and paste a proxy and the corresponding port into the notepad like this proxy: port for example, 23.83.49.120:7808 Then you hit enter and do the same thing for some other proxies and ports. Then once you think you have enough proxies just save the notepad file as proxies.txt text document. Then follow the instructions above so you will write something like java -jar PolldaddyHack.jar “Adress” “PDI” “proxies.txt” “number of attempts”.
How I Rigged a Poll Daddy Poll I rigged the Total Film Blog Awards for the Horror category. My intentions while good do not excuse that what I did was wrong and I could have easily taken the high road as has been pointed out to me. If you're not interested in my confession and apology and just want to see how I did it scroll down to the red highlighted portion. Hopefully Poll Daddy figures out how to block such an easy exploit of their service. I don't condone cheating and I am not proud of throwing the poll. I have included the method for how I did this only to serve to help others catch similar activity and in hopes that it can be used to fix any further holes in the service.
First off an apology to who wrongfully caught heat from my actions. The blog is pretty cool and if you have never checked it out please do so now before reading the rest of this post. I would like to thank for hosting such a large competition. As well as all the readers for all the sites included in the selections. And I apologize to our readers as well as all the other sites for throwing the poll further.
There was obvious cheating on many sides and though I wasn’t the first person to try and rig the poll I did accomplish the biggest modification of the results. I decided to completely invalidate the results, and ensure victory for the only real blog on the list. As you read this post on how I rigged the results you'll hopefully understand why I choose to do it. I like under dogs and fairness.
In this case fairness was thrown out the window from the get go and no one seemed to care that much. When the poll was already found to be rigged and no one corrected it and that really didn't sit well with me. So I tried make things right by everyone. I invalidated the whole thing. A stupid idea in retrospect I will admit. But, one done with the best of intentions. A fellow webmaster I spoke with who wished to remain anonymous this morning pointed out that he feels causing visitors to vote through a hidden IFRAME is a violation of their trust.
I do agree with that to a certain extent however as soon as the poll was hacked the first time by a user looking only to benefit themselves, trust had already been thrown out the window. Nobody wanted to take action or correct the mess created. At this point the poll was already tainted and fraudulent. I did all of this with no offense intended to Totalfilm it is not their job to police the polls hosted at Polldaddy's site.
They simply tried to offer a fun and cool competition that has turned into some kind of cutthroat game of dire consequence. Nor did any of the other webmasters involved in the poll know what I was doing at the time.
Several have since found out after the fact but even though the polls were a topic of discussion many times over the last week I never mentioned my plan to throw the poll to either Bloody, Shock, UHM, or the owner of Obscure Hollow. Also it should be noted I did not pick the order of the winners. It is only by luck Dread is second from last and thus will place second, nor should any preference be given to the fact that Shock will appear last. My intention is only creating a step stair pattern out of the poll bar images so that it goes from smallest to longest as you go down the list. This way it is visually clear that the results are inaccurate and the only blog on the list still appears as the winner.
Not only did I want everyone to know the poll was bogus and thus the winner couldn't hold it over anyone else, but also posting a post about how I accomplished it gives people in the future a way to catch people using the same method. There was obvious cheating going on many sides like I said, though who was responsible for that other than my share is unclear. Nor am I accusing anyone at any of the sites competing in the poll of rigging the polls in their own favor. I think if anything it was the work of a few fans who just wanted to do their part. A day into the competition I and few other fellow webmasters happened to be online watching as another sites numbers were rising 2-3 votes a second. This went on for a couple hours and they passed ahead of all of us.
Realizing some over-zealous fan must have tried to throw the poll in someone’s favor I began researching how they did it. I spoke with a couple people the following day briefly and was told they had reached out to Totalfilm and reported the invalid votes and asked that the poll be reset. To this they were told that the votes would stand as it appeared to be valid and there was nothing that they could really do at that point. A thousand or so votes don’t happen in the span of an hour fairly though 2 or 3 at a time every couple seconds but we were the only ones to see it happen. Hearing that such blatant cheating was going to stand really soured my outlook on what was supposed to be friendly competition.
But like I said this was not Totalfilm’s fault nor anything they had control over it’s a short coming of the poll service itself. Furthermore I noticed Obscure Hollow had less than a couple hundred votes compared to the rest of us all over 800 and Shock whose numbers stopped around 1300. This irritated me most. The only real blog out of the selections, one that actually has something unique to offer people and it was getting zero chance when compared to large news sites like ours even without the cheating it seemed unfair. As the days went on and Obscure Hollow held steady just under a couple hundred votes I started thinking how fucked up it was to be pitted against site like Bloody, Shock, UHM, and our own. I don’t know the person who runs Obscure Hollow but I felt bad that they might look at that poll and think that what they loved doing was taken for granted.
I actually checked out their blog and thought it was pretty cool myself, if you haven't stopped by there please do. Given that the numbers were already thrown and feeling like Obscure Hollow was the only one of us that was actually a blog I decided to throw the polls in their favor. It wasn’t a fair fight anymore and I felt throwing the poll at this point wouldn’t really matter. Over the past week I have added to their votes slowly so as not to arouse suspicion, meanwhile I inflated Dread and Bloody Disgusting's numbers a little every now and then to draw attention away from Obscure Hollows slow and inconsistent crawl to the top.
I added votes to all parties in the poll to arrange Obscure Hollow as the winner and have the rest fall in reverse order so when viewed it would look like a set of step stairs. Similar to what 4chan had done with recent poll fixes they accomplished. I had thought of trying to maintain them all as dead even but I could not control the results to that degree.
Tonight is the final night of the poll and being a Sunday it is a slow traffic day so in order to get Dread into the proper place to create the effect I was after I had to leave the code running while I left for dinner. I needed Dread and Bloody being that they were the ones closest to winning, close enough that I could pull off the pyramid within the next couple hours and this way people wouldn't notice that Obscure Hollow was going to jump almost 800 votes over the next hour or so.
Either there was more traffic than I anticipated or getting food took longer than I thought but when I came back Dread was over 3000. This really fucked my plan up as now Obscure Hollow would have to get at least 3300 votes for my plan of reverse ordering to work out. So I have my work cut out for me now. But hopefully I can still pull it off. I guess by the time people are reading this post we will know whether or not I was able to not only throw the poll in Obscure Hollow's favor but to create the pyramid steps up to the top of the poll. So for those of you who came here to figure out how I threw the polls read on. Having already looked into how to accomplish throwing the polls I knew where I would have to start looking.
The only problem was there is as of now only two ways to throw a poll. And neither of them would work. The first method I found involves simply deleting certain cookie info on your computer and voting as many times as you would like. This is easy to overcome by just altering the poll to only allow votes ONCE per IP address.
The second method, which I found to be much more interesting, involves setting up a simple PHP script which takes the variables that the voting page is expecting and just submits them over and over again until you stop the script. This method is easy to spot because the numbers shoot up very quickly and it is easy to ban because they all come from the IP of the web server running the script. This method was blocked as well or at least I could not get it to work properly. You can read more about it here Indeed it was Rusty Brick.com that inspired the whole thing. Alex having posted publicly that he threw the poll seemed like the only fair way to put everyone back on the same playing field. The important part of that blog post is here. va = 'u', the 5th parameter in the vote function = 10.
pt = 'polltype', the 4th parameter in the vote function = 0. r = 'rand', the 3rd paramenter in the vote function = 1.
p = id, the 1st parameter in the vote function = 2189218 the poll's ID number. a = answerString, the unique identifer of my entry in the poll = 10761055. o = otherText = blank So using this data, we can create the way to make out votes. Every time the following URL is accessed, a vote is placed for me in the poll. That URL once clicked places a vote for his entry in that particular poll. All I had to do was use his advice to find my only parameters for a URL to cause a vote for my intended entries now.
Once I had the URL I needed a way to get around the IP limiting. One way I thought of you could shorten this URL via bit.ly or similar service and send it out on Twitter.
I decided against that quickly though realizing I didn't want to call attention to the fact that this URL submitted a vote for a specific candidate. As soon as you land on the page that URL leads to it is made clear that you have voted for someone without you making a choice. But I had figured out how to bypass every hurdle now. The votes are legit, they all come from unique IP addresses and are not scripted. All I needed know was a way to get lots of people to hit that URL over time without seeing the resulting page. Then it hit me.
Use an IFRAME with a small width and height set. By embedding the URL in an IFRAME and placing it on my page anyone who visited my site would vote for whoever I wanted. And given how much traffic we get that would be hundreds of people within an hour. Using parts of the method I found at Rusty Brick.com I crafted this tag iframe width='100%' height='2' src=”Which would place a vote for Obscure Hollow every time someone visited our page. Simply changing a=11692457 to a=11692456 places a vote for Dread, and a=11692455 is a vote for UHM, 54 a vote for Bloody, and of course 53 is a vote for Shock.
The biggest hurdle to overcome was to get Obscure Hollow a 800% come from behind victory without looking suspicious. I wanted to end the whole thing successfully with the stacked poll results from smallest to largest before the poll ended. Every vote added through this method is entirely valid from the service’s stand point. Because every vote was cast from a unique IP address calling the URL within the IFRAME everything is legit.
Except for the fact that people were voting without knowing it. Which is shady at best. Obviously this method requires someone to have access to a site with large amounts of traffic.
Or cleverly bait people to click a shortened version of the URL through a service like Twitter. Or you could even spend a little money and have users at Amazon’s Mechanical Turk service click it for you for 5 cents a click.
I wouldn’t be surprised if you could include the URL in an IMG tag and post it on a popular Myspace or Facebook page’s comments. As long as that URL is called it should place a vote. The easiest and most immediate way they could fix this exploit is to add code to the voting confirmation page that breaks the page out of any IFRAME it is placed in, thus making it near impossible to hide what is going on. Another easy way for Poll Daddy to fix this problem is to add more random number possibilities to their scripting but this would only slow down the voting. As for using it as a part of Twitter, M Turk, or faking an IMG tag, you could probably check the request header and block traffic to that specific URL based on the origin of the request or requested MIME type.