Recently Hackernoon announced their “The Noonies” awards. I wanted to vote for Steemit as the social media website of the year and visited their page.
I voted for steemit. Since it didn’t ask for login of any type I was curious how they were keeping track of how many times a user voted. From the URL and source code I saw that they were using the ids generated by mongodb probably. Once I voted it was showing the “Cancel vote” icon, so they were making sure that one user could vote on an award only once. I wanted to check how they were doing. After a little digging I could see that they were using local storage and they were keeping a JSON object that had the mapping of all the award the user had voted on. Once I figured it out it was easy to vote multiple times.
Steps to vote multiple times
- Vote on any award that you are interested in.
- Now open developer console.
- Goto Applications section.
- Click on Local storage from the left tag and select the noonies website.
- Now right click and select “Clear” from the menu.
- Refresh the page and vote again now :)
There was a huge temptation to post it on a public forum :P But I refrained. I informed David Smooke and Storm from Hackernoon team. I waited for the awards to close and now am disclosing this vulnerability.