clock menu more-arrow no yes mobile

Filed under:

I hacked the MLB All-Star voting page in under 20 minutes

The MLB All-Star voting system is easily exploitable. And MLB probably doesn't care.

Brad Rempel-USA TODAY Sports

To be fair, "hacked" really isn't the right word. That word implies some kind of username/password cracking, which in turn implies some kind of secure system, and quite frankly, the All Star voting page set up by MLB is anything but secure. With a basic knowledge of HTML, a bit of Javascript, and a few minutes to play around, I was able to exploit MLB's All-Star voting system quite easily.

The key to exploiting the system was realizing that -- are you ready for this? -- there is zero verification surrounding the most important piece of information supplied in the voting process: your email address. The voting page asks you to supply an email address, along with some other information such as a birthdate, a zip code, and a favorite team, but unlike most systems that at least try to implement some form of security, MLB does not require you to validate your email address. There's no confirmation email sent with a "click here to verify" or "use this five-digit verification code" message, some way of ensuring that the email address you supplied in the voting process is actually yours.

Let that sink in for a moment.

And while you were letting that sink in, I just cast 35 more ballots, using your email address. Let me know when you get the "Thank You for Voting" email from MLB.

With that major security flaw exposed, it was a simple matter of using Google Chrome's built-in network traffic monitor to discover that all of the voting selections are being sent via URL, attached to a request for an image that is 1x1 and white. It's so small you'd never see it, but it's there, and embedding that image effectively casts another ballot.

Let that sink in as well.

I've embedded that image somewhere in this post, by the way, so by the time you've read this far, that image has loaded and you've already cast another ballot for my specific All Star player picks. Thank you for your support.

As I was showing this neat little trick to a friend, he said, "wouldn't you think MLB would want to lock this down better?" A very good question, with an even more interesting answer. The answer, I believe, is "no." Let's face it: MLB has been trying to generate interest in the All-Star Game for years, trying to encourage fan participation in the vote. The 2015 fiasco with the Kansas City Royals has been the best thing for MLB, and I don't believe they're the least bit embarrassed by it.

In the end, it's all about the numbers. That's why they let you vote 35 times. At the end of the voting, they can roll out the numbers and say, "Look! Fan voting is up! Over five million people voted for Bryce Harper!" but if you divide by 35, it turns out only 143,000 people voted for Bryce Harper. (Those aren't real numbers, of course, they're just for the sake of illustration.)

So if a group of enterprising fans decides to exploit the use-any-email-you-want hole in the system to stuff the ballot box, and all of MLB fandom is talking about it for four weeks straight, that's great for MLB! Where's the problem? What is there to "fix" from their point of view?

You think people will actually boycott the All-Star Game this year because the voting has been exposed as a "mockery"? Maybe some will, but if eight of the nine starting players are Kansas City Royals, and that fact continues to be hyped by the major networks, I'd be willing to bet good money that there's a "train wreck" quality to the whole affair that people simply won't be able to avoid watching.

Yes, the voting system is a farce. I exploited it in less time than it takes to watch a re-run of Scrubs. But don't count on MLB doing anything to fix that any time soon.