MLB makes a concerted effort to investigate votes that: 1. come from accounts created using email addresses that appear to have been tweaked in some way that too closely resemble another address; 2. multiple voting accounts that come from the same IP address; and 3. troubling patterns in voting that emerge during the reviews by a third-party company employed to chart All-Star Game balloting trends.
[Bob] Bowman [MLB President of Business and Media] said that process alone leads to about 20 percent of the votes that are cast online being eliminated every year. With that in mind, all the votes MLB has reported so far have been sanitized.
And then there’s this from Jeff Passan of Yahoo Sports:More than 300 million votes have been accepted, according to the league, and the record of 390 million should fall sometime this week. Almost certainly a half-billion votes will be cast by the time balloting ends at 11:59 p.m. ET on July 2. And that doesn’t include the massive amounts of votes Bob Bowman, the CEO of MLB Advanced Media, said the league disallowed because of concerns over fake or improper voting.
“I’m not saying we bat 1.000,” Bowman said. “But it’s between 60 and 65 million votes that have been canceled. We don’t really trumpet it because if someone thinks they’re getting away with it, they’ll try to again.”
Thirty-five of those votes belonged to the email address of Yahoo Sports blogger Mike Osegueda, who received a verification email for ballots he didn’t cast. Alerted to his tweet about it, the league said the votes were taken away. Presumably, MLBAM tries the same with similar such ballots – Bowman said the 20 percent rate of killing ballots is consistent with previous seasons – keenly aware that in addition to civic pride, Kansas City packs a nice wallop of humor.
To be fair, “hacked” really isn’t the right word. That word implies some kind of username/password cracking, which in turn implies some kind of secure system, and quite frankly, the All Star voting page set up by MLB is anything but secure. With a basic knowledge of HTML, a bit of Javascript, and a few minutes to play around, I was able to exploit MLB’s All-Star voting system quite easily.
The key to exploiting the system was realizing that—are you ready for this?—there is zero verification surrounding the most important piece of information supplied in the voting process: your email address. The voting page asks you to supply an email address, along with some other information such as a birthdate, a zip code, and a favorite team, but unlike most systems that at least try to implement some form of security, MLB does not require you to validate your email address. There’s no confirmation email sent with a “click here to verify” or “use this five-digit verification code” message, some way of ensuring that the email address you supplied in the voting process is actually yours.
Sure, there will be a ballgame in the middle of all of this and it’ll decide home field advantage in the World Series, but that Esurance doesn’t sell itself.
