UPDATE: MLB says there are safeguards in place for All-Star vote shenanigans

51 Comments

An update, via ESPN:

MLB makes a concerted effort to investigate votes that: 1. come from accounts created using email addresses that appear to have been tweaked in some way that too closely resemble another address; 2. multiple voting accounts that come from the same IP address; and 3. troubling patterns in voting that emerge during the reviews by a third-party company employed to chart All-Star Game balloting trends.

[Bob] Bowman [MLB President of Business and Media] said that process alone leads to about 20 percent of the votes that are cast online being eliminated every year. With that in mind, all the votes MLB has reported so far have been sanitized.

And then there’s this from Jeff Passan of Yahoo Sports:

More than 300 million votes have been accepted, according to the league, and the record of 390 million should fall sometime this week. Almost certainly a half-billion votes will be cast by the time balloting ends at 11:59 p.m. ET on July 2. And that doesn’t include the massive amounts of votes Bob Bowman, the CEO of MLB Advanced Media, said the league disallowed because of concerns over fake or improper voting.

“I’m not saying we bat 1.000,” Bowman said. “But it’s between 60 and 65 million votes that have been canceled. We don’t really trumpet it because if someone thinks they’re getting away with it, they’ll try to again.”

Thirty-five of those votes belonged to the email address of Yahoo Sports blogger Mike Osegueda, who received a verification email for ballots he didn’t cast. Alerted to his tweet about it, the league said the votes were taken away. Presumably, MLBAM tries the same with similar such ballots – Bowman said the 20 percent rate of killing ballots is consistent with previous seasons – keenly aware that in addition to civic pride, Kansas City packs a nice wallop of humor.

2:54 p.m. ET: In terms of importance the All-Star vote isn’t exactly Fort Knox of the CIA mainframe or the president’s nuclear launch codes. Indeed, in the grand scheme of things it’s somewhat less important than the Astros’ Ground Control system and somewhat more important than the survey Pizza Hut wants you to do after filling out an online order.

But boy oh boy, you think they’d have at least some sort of security on the thing. Nope. They don’t. From HookSlide at SB Nation’s Bless You Boys blog, who explains how he hacked the All-Star voting page to give him far, far more than the 35 votes Major League Baseball allows each email address:

To be fair, “hacked” really isn’t the right word. That word implies some kind of username/password cracking, which in turn implies some kind of secure system, and quite frankly, the All Star voting page set up by MLB is anything but secure. With a basic knowledge of HTML, a bit of Javascript, and a few minutes to play around, I was able to exploit MLB’s All-Star voting system quite easily.

The key to exploiting the system was realizing that—are you ready for this?—there is zero verification surrounding the most important piece of information supplied in the voting process: your email address. The voting page asks you to supply an email address, along with some other information such as a birthdate, a zip code, and a favorite team, but unlike most systems that at least try to implement some form of security, MLB does not require you to validate your email address. There’s no confirmation email sent with a “click here to verify” or “use this five-digit verification code” message, some way of ensuring that the email address you supplied in the voting process is actually yours.

As he notes, it’s highly doubtful Major League Baseball gives a flying frick about this because they’re getting what they want out of the system: lots of pageviews and user engagement on their voting page which has a corporate sponsor. Lots of people talking about the All-Star Game. Lots of votes — in sheer numbers — which allows them to talk about how excited everyone is about the Midsummer Classic. The All-Star Game is, from its sponsored votes to its sponsored events to its sponsored musical acts, is just a big circus to the league anymore, so there’s no sense in worrying about the voting process being a circus too.

Sure, there will be a ballgame in the middle of all of this and it’ll decide home field advantage in the World Series, but that Esurance doesn’t sell itself.