Hacking hackernoon noonies awards

I could have rigged all of the Hackernoon awards but I didn’t :P

I was able to get more than one vote per award :P

Recently Hackernoon announced their “The
Noonies” awards. I wanted to vote for Steemit as the social media website of the
year and visited their page.

I voted for steemit. Since it didn’t ask for login of any type I was curious how
they were keeping track of how many times a user voted. From the URL and source
code I saw that they were using the ids generated by mongodb probably. Once I
voted it was showing the “Cancel vote” icon, so they were making sure that one
user could vote on an award only once. I wanted to check how they were doing.
After a little digging I could see that they were using local storage and they
were keeping a JSON object that had the mapping of all the award the user had
voted on. Once I figured it out it was easy to vote multiple times.

Steps to vote multiple times

1. Vote on any award that you are interested in.
2. Now open developer console.
3. Goto Applications section.
4. Click on Local storage from the left tag and select the noonies website.
5. Now right click and select “Clear” from the menu.
6. Refresh the page and vote again now :)

A simple hack to vote multiple times

There was a huge temptation to post it on a public forum :P But I refrained. I
informed David Smooke and Storm from
Hackernoon team. I waited for the awards to close and now am disclosing this
vulnerability.