Hacking Hackernoon noonies awards

Gokul N K
Gokul N K
Aug 17 · 2 min read

I could have rigged all of the Hackernoon awards but I didn’t :P

I was able to get more than one vote per award :P

Recently Hackernoon announced their “The Noonies” awards. I wanted to vote for Steemit as the social media website of the year and visited their page.

I voted for steemit. Since it didn’t ask for login of any type I was curious how they were keeping track of how many times a user voted. From the URL and source code I saw that they were using the ids generated by mongodb probably. Once I voted it was showing the “Cancel vote” icon, so they were making sure that one user could vote on an award only once. I wanted to check how they were doing. After a little digging I could see that they were using local storage and they were keeping a JSON object that had the mapping of all the award the user had voted on. Once I figured it out it was easy to vote multiple times.

Steps to vote multiple times

  1. Vote on any award that you are interested in.
  2. Now open developer console.
  3. Goto Applications section.
  4. Click on Local storage from the left tag and select the noonies website.
  5. Now right click and select “Clear” from the menu.
  6. Refresh the page and vote again now :)
A simple hack to vote multiple times

There was a huge temptation to post it on a public forum :P But I refrained. I informed David Smooke and Storm from Hackernoon team. I waited for the awards to close and now am disclosing this vulnerability.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade