Reddit hacking for votes and profit

Looks like someone figured out how to game the Reddit system. This probably has been done before, but as far as we know nobody’s actually shared the methods in detail. [Esrun] wrote some scripts that allow him to register multiple accounts and use them to up-vote stories.

The hack goes something like this. A script registers a group of accounts. Each uses a different IP and the only part that requires intervention is typing in the Captcha. This doesn’t take long. You can see the script interface above as well as a demonstration video after the break.

Once the accounts have been acquired a story is submitted and the new accounts vote on it. They’re not all up-votes though, as having both up and down votes puts the article into the¬†controversial¬†section of Reddit (which is desirable), and doesn’t rouse as much suspicion from the moderators. He ran a few tests that he shares and it seems that as long as the article is interesting, this can be quite successful.

Great, more spam with our social media please.

[Thanks Joseph via Reddit]

Comments

  1. dawg says:

    Yeah, thanks HAD. Was three paragraphs really necessary for this drivel? This isn’t even exciting: Man creates program to register 100+ accounts on a popular social media site, and proceeds to vote up/down any post he chooses.

    Great, more spam with our hacks please.

  2. Concino says:

    @dawg,

    This still is a hack when you look at it as Information Systems perspective. IT Security folks already know that these type of hacks exist. When you look at it as a social media perspective to promote a product you might not see its significance.

    What if someone created bunch of accounts that is associated with a particular region, and start sending updates for example saying that they’ve been attacked by zombies?

    I am glad HAD is bringing this up and giving perspective to more people may or may not aware of these type of hacks.

  3. JD says:

    “it seems that as long as the article is interesting, this can be quite successful.”

    Isn’t that the entire point of Reddit? More interesting articles are closer to the top? Doesn’t seem like he needed all those accounts or scripts to make interesting articles rise.

  4. YaBa says:

    hmm… seems that people on Digg are having too much time on hands :D

  5. YaBa says:

    @dawg: security through obscurity never worked.
    I cannot trust a site where faking can be made.
    anyway… reddit UI sucks so… :P

  6. Spork says:

    @JD
    I think a less-interesting article that gets pushed to the top is more likely to be read than a very interesting article that doesn’t get read because it was piled under ‘hacked’ articles.

    @HaD
    This is not really that cool. I’m all for hacking things together, breaking security, and generally causing chaos… but when you are just scripting votes? That’s just cheating.

  7. JD says:

    @Spork

    Interesting…

  8. dizturbd2 says:

    Its only a matter of time…somebody didn’t think this through before they decided to release a video :P

    http://www.reddit.com/r/reddit.com/comments/doq9e/reddit_hacking_for_votes_and_profit

  9. NatureTM says:

    This is a hack, but not one that belongs on HaD. The thread that usually ties the articles on HaD together is that the articles make the reader say, “that’s really clever” or “I would like to try that.” This may be a little clever, but I don’t think most people here would want to try it. I think HaD readers do the things they do for a sense of accomplishment, and doing this would certainly make most of us feel the opposite.
    This belongs either on a vulnerability disclosure site, or in the mailbox of the Reddit administrators.
    Still <3 you tho.

  10. Brennan says:

    @YaBa

    Reddit UI sucks? How’s Digg v4 working out for ya?

  11. M4CGYV3R says:

    The background music totally sounds like the cheesy cuts they set to play automatically in the background of many keygen programs.

  12. FU_mrbabyman says:

    I pin the blame on damn MrBabyman.

  13. CAPTCHA says:

    Surely something like this http://churchturing.org/captcha-dist/ could be used to break the reddit captcha?

  14. PapaMac says:

    I hope that the scripts are released. Reddit seems to be the same as Digg – unless you have enough friends to give your story the initial push, it won’t go anywhere… regardless of how good it is!

  15. taky says:

    esrun always pubs good shit, this is a great method to gain initial exposure in a shady but not illegal way, ++$esrun;

  16. Good Blogger says:

    This only proves that reddit’s structure is vulnerable. An article doesn’t need to be genuinely interesting to sit at the top, like this guy’s proven. Nice work.

  17. LabGurl says:

    Although this isn’t a hardware hack, I don’t mind seeing some more software hacks on here. We had wep cracking the other day and as a big user of Reddit, I’m actually interested to see how people are gaming it. Although I may not agree with what this guy is doing, at least he’s showing roughly how it’s done.

  18. benzy says:

    Really good stuff. Some sophisticated methods for effective hits!

  19. biozz says:

    @dawg
    its a hack your using something to do something that its not intentionally designed to do
    this interests a fair amount of people and if oyu dont like it shut the fuck up and dont fucking click on it you are still getting your hack-a-day now every one gets at least something they like

    @HaD good job you are finally reaching all audiences keep it up

  20. TheCatAndBag says:

    It felt a bit ironic reading a story on Reddit about reddit being gamed, wondering if it had been gamed itself to be there. At least Reddit will hopefully tighten up protocols now. I always submit cool stuff which gets downvoted into hell and then I see the most stupid stuff hitting the homepage. Now I know why.

  21. Downvoted_syndrome says:

    There was an updated reddit thread where the guy gave feedback on what he was doing – http://www.reddit.com/r/reddit.com/comments/doizk/regarding_the_who_said_people_arent_really_gaming/

  22. Mav says:

    This isn’t a Hack ! Traditionally back in the 80’s when the terms were truly defined and before hacking entered the conciousness of the electronics hobbyists a hacker was some one who kludged or hacked code together for the likes of demo’s.

    This is more in the realm of the Cracker who traditionally broke security on software for piracy reasons, hackers ended up being mistook for crackers and got a bad name that even now is
    still perceived as a bit dodgey.

    Unless we are having Crack-a-day id say this post is not only irrelevant but also detrimental to the hacking community

    @Concino
    This is a crack , by definition he is cracking (by breaking or bypassing) the sites security for nefarious reasons.

    this sort of confusion is what gives hackers a bad rep

  23. ryall says:

    Yeah I found this post interesting too. All you “pure” PIC programmers go and read the posts that interest you and quit spewing your shit all over the comments whenever a project doesnt fit into your tiny niche, or has the “absolute gall” to use an arduino. No one does indignant quite like you guys.

    Don’t bother replying, I lost interest in what you had to say a long time ago. But I’m getting real sick of wading through the crap while searching for comments that have any relevance to the article.

  24. nobog says:

    Has the guy paid for this post to get some publicity?

    Maybe someone hasn’t shared their exact method of gaming this one website but the technical method is extremely generic, used by all kinds of spam programs.

  25. flarson says:

    This has a high probability of failure. The Reddit community is pretty vigilant and will likely notice that upvotes are originating from zero day accounts.

  26. Whatnot says:

    If you have control of hundreds of IP’s this is trivial, but who has that? Botnet guys and companies but not the ordinary man, unless maybe you are IPv6’ed?
    Anyway you see the same on youtube and such places too, it’s all a bit pathetic, if you cheat at least use your pals, maybe from a forum like 4chan or something, so at least real people are doing it not a lame script.

  27. 0x41 says:

    We’ve known it can be done for a while, and the comments that were posted here:

    http://www.reddit.com/r/reddit.com/comments/djxhq/gaming_the_reddit_voting_system_twitter_is_just/c10r83k

    are much more interesting from a technical standpoint.

    I pm’ed back and forth with the author for a while, and after showing that I had no malicious intentions, he showed me some of the source code.

    It was much more advanced than what this guy is doing, not only in scale but in anti-detection counter measures.

  28. Mr. BabyMan says:

    @FU_mrbabyman
    Oh please, accept some responsibility yourself.

  29. dawg says:

    @biozz, Try typing legibly next time.
    I also implore anyone who feels so vehemently about others’ opinions, specifically criticisms, to read this: http://plover.net/~bonds/stupidresponses.html

  30. JDoe says:

    @Mav, stop laming about with hacker/cracker talk.

    A hacker deals with networks, he/she may be black or white hat. (group example: Chaos Computer Club)

    A cracker is a person cracking copyright protected software for fame &/ money. (group example: Core, Phrozen Crew)

  31. ragegnome says:

    Don’t learn to HACK!
    HACK to learn!

  32. Brad Hein says:

    And the point of all that work is to… Have your story at the top of the list. Sounds like someone lives a sad sad life.

  33. Simon says:

    Teehee, the first frame at 0:54 contains the IP and username uncensored, which is then covered up quickly after. “Logging in using Lidyawijaya:Ag27F6C3 via 74.86.0.184…”

  34. ejonesss says:

    what is the incentive for voting up/down the stories?

    2 reasons i can think of.

    1. stories in the top stories list on the front page (like slyck does) are in order of replies in their forum last replied.

    so if you dont like a certain story because the headline contains some sexually or racially offensive word you may want to vote up the other articles to push the offending post to the bottom and off the list (slyck.com only shows the top 8 discussions).

    2. like above you can also vote down a post so lets say you get a bunch of accounts and vote down the sexually or racially offensive posting until it falls below and off the top rated list

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,401 other followers