UPDATE: MLB says there are safeguards in place for All-Star vote shenanigans

51 Comments

An update, via ESPN:

MLB makes a concerted effort to investigate votes that: 1. come from accounts created using email addresses that appear to have been tweaked in some way that too closely resemble another address; 2. multiple voting accounts that come from the same IP address; and 3. troubling patterns in voting that emerge during the reviews by a third-party company employed to chart All-Star Game balloting trends.

[Bob] Bowman [MLB President of Business and Media] said that process alone leads to about 20 percent of the votes that are cast online being eliminated every year. With that in mind, all the votes MLB has reported so far have been sanitized.

And then there’s this from Jeff Passan of Yahoo Sports:

More than 300 million votes have been accepted, according to the league, and the record of 390 million should fall sometime this week. Almost certainly a half-billion votes will be cast by the time balloting ends at 11:59 p.m. ET on July 2. And that doesn’t include the massive amounts of votes Bob Bowman, the CEO of MLB Advanced Media, said the league disallowed because of concerns over fake or improper voting.

“I’m not saying we bat 1.000,” Bowman said. “But it’s between 60 and 65 million votes that have been canceled. We don’t really trumpet it because if someone thinks they’re getting away with it, they’ll try to again.”

Thirty-five of those votes belonged to the email address of Yahoo Sports blogger Mike Osegueda, who received a verification email for ballots he didn’t cast. Alerted to his tweet about it, the league said the votes were taken away. Presumably, MLBAM tries the same with similar such ballots – Bowman said the 20 percent rate of killing ballots is consistent with previous seasons – keenly aware that in addition to civic pride, Kansas City packs a nice wallop of humor.

2:54 p.m. ET: In terms of importance the All-Star vote isn’t exactly Fort Knox of the CIA mainframe or the president’s nuclear launch codes. Indeed, in the grand scheme of things it’s somewhat less important than the Astros’ Ground Control system and somewhat more important than the survey Pizza Hut wants you to do after filling out an online order.

But boy oh boy, you think they’d have at least some sort of security on the thing. Nope. They don’t. From HookSlide at SB Nation’s Bless You Boys blog, who explains how he hacked the All-Star voting page to give him far, far more than the 35 votes Major League Baseball allows each email address:

To be fair, “hacked” really isn’t the right word. That word implies some kind of username/password cracking, which in turn implies some kind of secure system, and quite frankly, the All Star voting page set up by MLB is anything but secure. With a basic knowledge of HTML, a bit of Javascript, and a few minutes to play around, I was able to exploit MLB’s All-Star voting system quite easily.

The key to exploiting the system was realizing that—are you ready for this?—there is zero verification surrounding the most important piece of information supplied in the voting process: your email address. The voting page asks you to supply an email address, along with some other information such as a birthdate, a zip code, and a favorite team, but unlike most systems that at least try to implement some form of security, MLB does not require you to validate your email address. There’s no confirmation email sent with a “click here to verify” or “use this five-digit verification code” message, some way of ensuring that the email address you supplied in the voting process is actually yours.

As he notes, it’s highly doubtful Major League Baseball gives a flying frick about this because they’re getting what they want out of the system: lots of pageviews and user engagement on their voting page which has a corporate sponsor. Lots of people talking about the All-Star Game. Lots of votes — in sheer numbers — which allows them to talk about how excited everyone is about the Midsummer Classic. The All-Star Game is, from its sponsored votes to its sponsored events to its sponsored musical acts, is just a big circus to the league anymore, so there’s no sense in worrying about the voting process being a circus too.

Sure, there will be a ballgame in the middle of all of this and it’ll decide home field advantage in the World Series, but that Esurance doesn’t sell itself.

Rakuten Golden Eagles sign Jabari Blash

Jabari Blash
Getty Images
2 Comments

Former Angels outfielder Jabari Blash has signed a one-year deal with the Tohoku Rakuten Golden Eagles of Nippon Professional Baseball, the team announced Friday. Per the Japan Times, the deal is said to be worth around $1.06 million. Blash was released from his contract with the Angels at the end of November.

The 29-year-old outfielder has had a rough go of it in the majors, where he failed to duplicate the promising results he delivered in the minors. While he consistently batted above .250 with 20-30 home runs per season at the Double- and Triple-A level, he petered out in back-to-back gigs with the Padres and Angels and slumped toward a .103/.200/.128 finish across 45 PA for Anaheim in 2018.

The hope, of course, is that the environment in NPB will help him get a better handle on his issues at the plate — in a best case scenario, resulting in a full-scale transformation that could make him more marketable to MLB teams in the future. To that end, Blash expects to be utilized as a cleanup batter in the Eagles’ lineup and will focus on assisting the club as they make a run toward the Japan Series.