Back again folks.
This post is, in part, a continuation of this post I made earlier that details how it is possible to use login cookies to log into accounts without using a password.
This is how it can be done (or is being done):
- A user logs onto an account and saves their login cookie (as mentioned in my previous post, this can be used to log back in without a password)
- They vote on whichever posts they want to vote on
- They delete their account
- They log back into the deleted account using the login cookie from earlier
- They go into account settings and set a recovery email
- They recover the account
When they log back in again, the votes that they cast before they deleted the account are still on those posts that they voted on - but they aren't attached to the account that they voted with because it was deleted, so they can vote again. This process can be repeated indefinitely.
Manually, this is not very quick and it would take a long time to manipulate votes on a level that made a huge difference. Unfortunately, this process can be scripted, and I suspect some people have been doing this already. I will not speculate about the users who are doing this or the people/subs that were targeted because I have no hard proof. One way to see if accounts are doing this is to check their votes, as they will reset upon account deletion and recovery.
This may have already been inadvertently patched by Atko in response to my other post: See Here
To all of the people who were using this to rig vote counts and render other user's accounts useless, fuck you.
Credit for discovery: @E-werd
Edit: /u/kashka pointed out that Voat now resets CCP to 0 when an account is deleted, so this method can now only be used to upvote. - I am getting conflicting info about this and will edit again when I get to the bottom of it. /u/kashka is correct, accounts now get set to 0 ccp when they're deleted, meaning this can only be used to manipulate upvotes now. This was likely changed in the past few weeks as someone showed me an account deleted two months ago that had ccp above 0.
CrudOMatic ago
7 people want rigged votes.
ChillyHellion ago
Doesn't invalidate the message.
PM_ME_YOUR_ARCHES ago
You mean it would be easier to use alts to downvote? That would require completing captchas to log in to your alts after a while, which would take way more time than using this method manually.
I highly doubt that this is being used manually though, it is being scripted. I have been shown evidence of this being used on accounts, one of the accounts had 10k ccp and it was all gained by scripting account deletion/upvoting/recovery using login cookies. This can't be used to downvote anymore, as the admins changed it so deleted accounts reset to 0 ccp, meaning they can't downvote after they're restored. It can be used to upvote still though, and it is not that difficult.
CANCEL-CAT-FACTS ago
Not sure if you're aware of this, but here on voat we don't go sniffing through other user's posting history in regards to unrelated comments. That SJW tactic is antithetical to the ideals of voat and completely repugnant.
PM_ME_YOUR_ARCHES ago
It is far easier than it sounds. It could probably be scripted by someone with no prior experience within a couple of hours.
also i know for a fact that some people have been doing it but i'm not going to throw usernames around
faissaloo ago
It's also way more fun
Cid ago
Public instructions on how to do it? Now it really needs to get fixed.
Ellimist ago
Don't new accounts require a CAPTCHA or similar verification?
Ellimist ago
This one seems easier to use with scripts.
Either way, I don't think we should underestimate those people.
Ellimist ago
Don't forget that voat was the target of sustained DDOS attacks last summer.
Anti free-speech ideologues are willing and able to use complex tactics such as these.
antiplebbitor ago
You. We need more of you.
forgetmyname ago
run your script 20, or 100 times upvoating your permanent shill acc's and unlock downvoat achievenment faster.
m0t- ago
Of course. If an exploit is made aware to the devs and they show inaction, even with a white hat on, the next logical step is to make it public.
PM_ME_YOUR_ARCHES ago
No, you need another user's login cookie if you want to log into their account. To manipulate votes like this, you only need your own login cookie, which is readily accessible to you.
As far as I know, AVE is open source and the code is there for all to see, so I don't think we need to be worried about AVE.
InfoTeddy ago
Since this is a serious bug that can manipulate public opinion, even if the OP privately messaged Atko and PuttItOut, the same effect of having to scramble and hands being forced would’ve happened. Making this thread has a side effect of letting people know that some upvoats don’t count.
m0t- ago
The best way of serving a 0-day is contacting the devs directly, but this is tactic lights a fire under their ass.
cool_and_froody ago
Great detective work, Arches.
Drenki ago
It can easily be automated.
CrudOMatic ago
Easily automated to give SJW socks the power to put SJW posts on the front page.
PM_ME_YOUR_ARCHES ago
Could you provide a source or evidence of this? I'm getting conflicting info from someone.
They have shown me an account that was deleted 2 months ago that still has above 0 ccp.
CANCEL-CAT-FACTS ago
Pro-tip: it's a lot easier to get upvoted by simply supporting other users and adding to the discussion on their posts, providing your own interesting content and comments and treating everyone else on this site how you would want to be treated. Don't spread hatred or stupidity or low quality posts, encourage others to contribute by replying to them and their posts/comments and treating them like actual human beings with genuine feelings and inherent humanity.
This is a big website full of many user names; some are familiar to us, some are new, some are people we've previously disagreed with, but each one of us is an individual, and there is always common ground to be had between us all.
Arotaes_Forgehammer ago
Preach it, brotha.
Stavon ago
I haven't looked in the code, but it's likely possible to to find out if it has been done and by whom. All the voats are in the database.
InfoTeddy ago
Even if someone manipulated upvoats after they learned how to do it from this post, Atko or PuttItOut could just easily reset the voats and everything would then go back to normal.
PM_ME_YOUR_ARCHES ago
Hmm interesting, I didn't know that. Maybe this is being used to upvote alts or posts/comments on main accounts then.
I'm looking at you @Arotaes_Forgehammer ;)
Arotaes_Forgehammer ago
All my ccp is 100% legit. You can tell because I'm so anal about numbers that my CCP would always be rounded to the nearest 10.
barset ago
+1
twomoreandatinkle ago
Seems like alot of work.
BobBelcher ago
Good find.
PM_ME_YOUR_ARCHES ago
I suspect it was being used on /v/Meanwhile and /v/TrueScience.
A couple of my posts were also mass downvoted. I always just assumed it was a bunch of alts, as each post had the same amount of downvotes, but the downvotes happened too quickly for it to be one person using alts, so I think they were probably using the method I described above.
Kadynce ago
@atko @putitout