Comments on the Oxford Mail site are completely broken

· 646 Words

There’s something very odd going on with the comments on the Oxford Mail site. No disrespect to the paper, but I have a tough time tallying up likely size of readership with some of the behaviour seen on the site.

Unlikely

You can register on the site and leave comments and discuss things with other people who have registered. You can up-vote and down-vote particular comments. There is often a light dusting of scores hovering around the 0 mark and then one comment in particular will have about a hundred down-votes. This seems incredibly unlikely.

Most website with voting (at least as of about 10 years ago) have logging and audits which make sure that one person can’t just keep voting for something. I half-assume they do this, otherwise there’s no point having voting at all.

Innocuous Cumberbatch

Let’s look at an example. A totally innocuous article about (amongst other things) Benedict Cumberbatch has two comments, both from the same person, with scores of -116 and -110. That is completely ridiculous.

I emailed the paper to ask what the deal is, just because it’s so strange. I got no response, so I thought I’d look at it myself.

No Checks

The first thing is that you don’t have to be logged in to vote. I just up-voted one of those comments.

The second thing is that the voting action sets a cookie. Cookies are optional. You don’t have to accept them. The Oxford Mail Cookies Policy says that you don’t have to accept them (not that it really matters, it’s your computer not theirs). So if you don’t accept cookies, or delete them you can** keep voting**. I up-voted the comment twice.

The third thing is that you can send the POST request without any cookies. I took a look at the HTTP request that performs an up-vote:

Screen Shot 2013-10-02 at 12.58.38

There’s a tool called cURL. If you’re not acquainted with cURL, all you need to know is that it does the same job as a browser in an automatable fashion. It’s a standard part of the tool-kit for making web applications.

I can issue a cURL command to upvote:

curl http://www.oxfordmail.co.uk/ws/article/10658297/comments/11970143/ :data action=Plus

and, lo and behold, it returns, saying that it’s recorded my upvote.

{‘commentId’:‘11970143″,‘score’:-104,‘articleId’:‘10658297″}

If I do this 20 times, the score actually changes. Before:

Screen Shot 2013-10-02 at 13.06.56

and after

Screen Shot 2013-10-02 at 13.07.35

Permission

When you provide a website you are actually providing a number of individual HTTP resources. A resource might be the home page, an article, comment, vote, image etc. There are status codes which are given in response to a request. They include ‘OK’, ‘Can’t find what you asked for’, ‘You’re not allowed to do that’, etc. For example, you’re not allowed to comment unless you’re logged in.

But these ‘vote’ resources are provided to the public and the response is always ‘ok’. The Oxford Mail is explicitly giving anyone permission to vote for any comment any number of times.

Anyone can basically set the up/downvote score of any comment on the Oxford Mail site to anything they like.

And it seems like others are abusing their generosity.

Abuse

I’m not the first to notice this. Two users, Neonlights and yabbadabbadoo256 seem to have automatic and systematic down-votes. They’ve clearly made an enemy of someone with too much time on their hands.

Postscript

Just for fun I thought I’d try a proof of concept. I stopped at a cool thousand upvotes. No doubt someone will spot this sooner or later, or my arch-nemesis the down-voter will compensate. This is my comment, and it is the only comment I voted on in an automated manner.

cool-thousand

Call it satire.

Post-Post Script

After I published this blog post, someone or some people (I’ve no idea who) decided to go seven-thousand-nine-hundred better than me. Someone with a spirit of fun.

8900

The count is still rising. It is a very good comment, after all.

Read more