Paid Advertising
web application security lab

How I Lost a Contest Involving Chihuahuas

So my lovely gfnd’s co-worker enrolled her pet Chihuahua into a contest to rate the dog against others of the same breed in the local area. Vaguely amused, I took a look at the web application and sure enough, it pretty much sucked. The developers had used a client side code in Flash to make it so that you couldn’t submit twice, but in re-loading the app you could (and that’s how the newbs in her office were cheating). I, however, looked at what data it was sending and sure enough I could send votes by bypassing the client side app entirely. I took the cheating to a whole new level.

So I gave the dog 100 votes just for good measure. My gfnd and her office mates were amused and asked me to up it to 1000. Sure, no sweat. The next closest Chihuahua was in the 50-60 range, which I found by writing a quick scanner to dump all the results for all the other dogs. So I figured we pretty much had this whole thing sewn up. With the 700 votes all of her co-workers had managed to generate, plus my 1000, we were an order of magnitude higher than the next competitor. I could see it already - my gfnd’s co-worker’s Chihuahua would be named Chihuahua supreme, there would be dancing in the streets, songs would be written…. The whole nine yards.

Little did I know how fierce this whole Chihuahua community is, and right before midnight on the night that the contest closed some other hacker did the exact same thing - but took the number one spot above my pick. Alas, had I checked the scores leading up to the closing moments of the contest my Chihuahua could have easily won that contest. I guess if I cared more about Chihuahua contests, I might have put more thought into it. But in the end it’s just another amusing story. Props go to whomever managed to out haXor my Chihuahua contest haXoring!

I think we all can see how similar high profile and more important contests (or elections) could be tampered with. Maybe Chihuahua contests don’t rank high on your visibility scale, nor mine typically, but despite the silly consequences of tampering with Chihuahua contests, it’s a small window into a much more dangerous issue. I hope everyone had a good 4th and Canada day!

12 Responses to “How I Lost a Contest Involving Chihuahuas”

  1. MikeA Says:

    Who knew that Chihuahua contests were such a cut-throat business ;p

    So, you didn’t write a scanner that kept checking the totals for the other dogs and when they got close to your total you’d add some more votes? Either a) you are a complete n00b and can’t hack for $h1t or b) you just don’t love you girl enough to put the effort in.

    So Mr Rsnake, which is it :D

  2. RSnake Says:

    If I only had the time, Mike… ;) hahah!

  3. ChosenOne Says:

    Well, well Mr. RSnake.
    If anyone of us had a Chihuahua, I’d be damn sure that no one would admit it, so I can only understand that you started to call it the Chihuahua of your gf’s co-worker. The fact that you got too enthusiastic in describing the h4×0ring made you slip, and write “my Chihuaha” in the end. I think it would have been unfair unfair to the cute little thingy, that you denied its existence and even denied your mere love for it? :P
    Just Kidding - here come’s the real comment:
    There’s an annual snowboard-flashgame-contest somewhere in the web (usually around christmas), called the “harddrive slide” or something. The points you earn are transmitted to the highscore in a similar way you just explained - but the key is: The winner of the flash-game wins some free HDDs. Isn’t that nice? :)

    Kind regards,

  4. thrill Says:

    No wonder it was easy to hack.. here’s the copyright notice on the top of the program:

    // Copyright (c) 2008 Diebold Systems, Inc.



  5. phaithful Says:

    I’m sure you would have won the contest if it involved (@) … lol

    btw, what did “your g/fs co-worker’s” Chihuahua get for 2nd place?

  6. Awesome AnDrEw Says:

    Sadly I have a similar story in which I won second place in an online contest back in 2001, which had been advertised on a certain television station across the U.S. The Flash application submitted the form via GET requests, but restricted each email address to a single entry per day. To combat this I simply enabled “wildcard email addresses”, and a forwarder on the domain I owned at the time, wrote a simple VBScript that changed the location of an IFRAME to include an incremental value every quarter of a second, and left the script to run for no more than a few hours. Thinking I would most likely get caught I stopped it, and forgot about the contest however when it ended I checked my email, and sure enough I had managed to take second place, which allowed me to claim a free item that I never did redeem. Moral of the story is if you’re going to do this type of thing make sure you run the application for quite some time, because second place just won’t cut it.

  7. plAnadecU Says:

    A good way to cheat on contests (the ones that just allow one vote per IP) is to exploit an XSS bug. You place your votation-code in the main page of a busy page and just wait ;)

  8. RSnake Says:

    @phaithful - I don’t think there were any prizes at all, except the adoration of all other lesser Chihuahua owners in the area. Yeah, I don’t get it either.

  9. fazed Says:

    You probably could have made a script
    that checked the results of all the other
    entered chihuahua and made sure yours
    was at least 5 ahead at any given moment.
    although this could have ended with your
    script having a bidding war with the other
    hacker (and resulting with a VERY high leaders score)

  10. Lex Says:

    They could check their request logs and only count it by IP, no-one probably did thought of changing it.

  11. Log0 Says:

    RSnake, why didn’t you rank every dog equal? The jurys gonna sweat. =)

  12. Cagekicker Says:

    Kind of like an Ebay bid war! Haha. I hate it when that happens.