How to Manipulate Riddle Votes

DISCLAIMER: Don’t do this!

Lots of websites like the BBC use riddle.com to poll their readers’ opinions. It doesn’t seem like Riddle creates a nonce or token for any new vote so it’s simple AF to game it. All you need is Chrome Dev Tools and a Bash terminal.

From today’s research I noticed a BBC page with a poll. The user could cast their opinion on a scale of -3 to 3 of whether they agree or not. So I opened Dev Tools and went to the Network tab. When I clicked on 3 I seen the two POST requests that the page made.

The body of the message we care about contains the riddleId which is the particular poll on the site, and the data which is the riddleId.sentiment.6 (6 is +3, or strongly agree).

I right-clicked the request and copied as cURL (bash):

I went to my Windows Terminal (which is awesome btw) and from my favourite DO droplet, in bash I started writing the for loop:

for i in {1..666}; do { *curl command here* ; } done

I’m not saying I pressed the return key but this WILL cast the vote 666 times, or however often you want.

As usual, stay home and stay safe. James xx

Published by James

ZeroInfoSec CEO. Family man, hacker, football fan, BMW enthusiast.

Leave a Reply

Your email address will not be published.

%d bloggers like this: