New feedback site open to abuse

  • Thread starter Thread starter blaaah
  • 11 comments
  • 740 views

blaaah

(Banned)
Messages
1,078
The voting system is wide open to abuse as you have unlimited number of votes (no registered details required), you can just keep voting over and over for your favourite issue. So I don't think PD could take the data seriously in its current form. I think votes should only count if you are using a confirmed valid email address.
 
The voting system is wide open to abuse as you have unlimited number of votes (no registered details required), you can just keep voting over and over for your favourite issue. So I don't think PD could take the data seriously in its current form. I think votes should only count if you are using a confirmed valid email address.

I suppose it is expecting mature voting from its participants. I'm sure there will be an I.p. log of voters.
 
Last edited:
I suppose it is expecting mature voting from its participants. I'm sure there will be an I.p. log of voters.

I'm just gonna stick this hear instead of starting a new thread. I think this new system is ace!
 
The software checks your IP address if you try to submit votes from different email addresses and discards those fraudulent votes.
 
The software checks your IP address if you try to submit votes from different email addresses and discards those fraudulent votes.

This doesn't appear to be working, I tried it again and it just accepts the new votes. Unless the system accepts the and discards them at a later date, but I dont know if that is the case or not. I hope by raising this point myself you won't blame me for testing it out to check the system is fair.
 
The site uses Javascript to give the appearance that votes are immediately registered, and I doubt the script is sophisticated enough to check with the server before updating those numbers. I can't accurately test it myself as an administrator, I'm just going by the voter fraud detection settings I have set in the control panel. The software is a third-party, hosted service so my ability to control its functionality is very limited.
 
Is it possible to set up a separate vote page with just one poll option that only you have access to, then you can test to see if the votes actually keep going up or stay static at 3 votes. That might be one way of confirming the fraud detection works.
 
Not until I can access the site from another IP address. Mine is registered as an administrator and should be exempt from the blocking rules.
 
I can't accurately test it myself as an administrator, I'm just going by the voter fraud detection settings I have set in the control panel.

I'm surprised that you don't have a "normal user" dummy account just for testing things like this. When I've run forums etc in the past, I always did; very useful on occasion.
 
His dummy account would still have an IP address linked to administrator status is what he is saying I believe. You can change to a proxy IP address using a site such as hidemyass.com. But that would allow multiple votes also if it changed with every use.
Having said that I realise we should just accept polls are not that secure and should just show trends and not absolute facts. Even UK government petitions only require a name and email address and home address (which could all be made up), and they get examined and responded to if over 500 names, over 100,000 names and it gets eligible for debate in Parliament.
 
Last edited:
That's correct, blaaah. The UserVoice hosted software blocks by IP address, not user accounts / cookies. I wouldn't know if it's counting a test user's votes because something is wrong or because my IP address has been white-listed as an administrator, thus making it exempt from a block.

EDIT/UPDATE: Just accessed the feedback site via another IP address in a fresh browser window and a dedicated testing "forum" with two testing accounts. It blocked my second vote the first time yet it seems the second went through. I'm not sure how it works and, once again, this is a hosted service by UserVoice that I don't have any control of beyond what's offered in my account control panel.
 
Last edited:
Back