Royals fans hacked the All-Star vote. Fan passion? No, it’s a few Royals fans cheating a broken system.

This is the national story that’s developing now. It started weeks ago as "Why don’t these Royals fans vote correctly?" to "This is obviously wrong, so it must be hacking and cheating."

What’s the evidence? Well, none... but a lack of evidence can be overcome these days. Instead of putting the time investigating an issue, just point at someone who makes the claim you think is correct, and leave it to others to work out the truth.

Case-in-point: Yesterday morning as I was leaving for work, the Royals were on Good Morning America. And here’s the story they showed:

This is a blog post published on Bless You Boys, and as the author states in the title: The MLB All-Star voting page can be hacked!

Here’s the thing: This hack never happened. This title is false. I have a lot of experience in web development and programming, and when I read the article I knew the author hadn’t done what he claimed. I took the time to investigate it further, and what I found actually made me more confidence that the KC voting turnout is real and valid.

What I’d like to offer here is a technical view of the MLB All-Star voting. I do this not because it matters from the national perspective, because that ship has sailed. BYB wins there, congrats on your national story that’s wrong. But if you’re a KC fan, and you’re a little queasy about KC’s voting, maybe this will make you feel better.

(Note: I am NOT affiliated with MLB in any way, I’m only looking at the voting from the outside.)

The Claim

The BYB author claims that a vote can be cast by requesting an image in the right way. The author also claims to have embedded an image into the blog post that submits an All-Star vote. This is the "hack" or "exploit."

The first statement is technically true, but the context that’s been dropped is the fact that the only way to make that image request work is to pass through MLB’s security... which he hasn’t done.

The second statement is entirely false. I didn’t see the vote image in the page’s source code, but even if he had embedded this image, it wouldn’t have worked.

Let’s look into why.

The Vote

When you submit your MLB All-Star vote, it feels like this:





But it’s actually this:

It's a record in a database.

The MLB website doesn’t just get your All-Star selections... they get a lot of information about you, too. Information including:

1) Your computer’s IP address (which identifies you on the web)

2) The "cookies" that they set in your browser (another way to identify you on a website)

3) Your captcha code answer (to stop bots who can’t read)

4) The vote count (1-35)

5) Personal info like zip, email, birth date, etc.



Your vote is submitted via an image request. Your browser requests an image, and all of your information is piggy-backed on that request. Their server takes your information and stores it in the database, and your browser gets an image back.

The Validation

The confusing part of submitting votes this way is that there’s no immediate validation. You submit your vote, MLB takes your vote and responds with a tiny 1x1 image.

Valid voters get a 1x1 image. Bots get a 1x1 image. The BYB "hacker" putting this voting image on his blog post gets a 1x1 image. You can submit whatever you want to the MLB voting site, and you’ll always get a 1x1 image back.

Common-sense might lead one to say, "Well, shouldn’t an error come back if the vote is invalid?" But from the web development side... absolutely not!

MLB is getting hammered with millions of votes. If each of those votes was held up while MLB’s computers searched a database of millions of votes, running all sorts of validation algorithms on all that data - the servers would be overworked. That’s a lot of work to do when you have millions of fans lining to submit their votes.

What makes more sense to me, as a developer, is to just accept everything and validate the votes later, offline. Fans get a nice experience, and MLB can be very thorough in their validation later.

Again, I’m not affiliated with MLB in any way. It just appears to be this way from the outside, and I know that this is how I would build such an app.

The Scrub

Let’s move forward with BYB’s claim about the embedded image. Let’s pretend their hacker puts an image in the blog post, and votes are cast every time someone reads that blog post.

And because the post was seen on Good Morning America, they get one million new visitors, and one million votes are cast for Miggy at 1st base.

But it won't work. Though each of the one million votes had a unique IP, they had the same email address (the one the blog author used).

Let’s write up some pseudo-code and delete these incorrect votes, ok?

Let’s pretend that the BYB hacker wises up and swaps out the email address for the SB Nation email address of the user visiting the page.

Oh, that didn’t work either. Same captcha code.

Let’s say that the BYB hacker tries the next trick: Submit a different captcha code.

Oh, but that didn’t work either. The captcha validation failed.

The Captcha

It might be worth explaining the captcha a bit. Why are you asked to type out that weirdly- shaped sequence of numbers on each vote?

When MLB sends you a captcha code, they do so with a (presumably) unique identifier for that image. This image is checked in your browser, and if you can’t pass it the vote is not submitted.

Here’s the funny thing about browsers: They’re not run on MLB’s servers. Anyone could bypass the captcha browser check and submit the information anyway.

But this is not a problem. The captcha information is submitted with the vote, and (again, presumably) MLB checks for the captcha validity on their servers.

If someone were to try to hack or bot the All-Star voting, the captcha is their biggest problem to solve. They’ll have to request that captcha code from MLB, somehow read it, and then submit it with the request.

For argument’s sake, let’s pretend that a Detroit super-fan solved captcha and started blasting votes. But uh oh, remember the scrub?

It still didn’t work. The votes had to be submitted from somewhere, and it's easy to pick out the most active IP addresses.

The Email Checks

The BYB post also gets into email validation, and this is an area where they start to have a point.

MLB does not require a voter to verify that they control the email address. Sounds fishy? Not to me. If MLB required us to create an account to vote, most won’t vote. If MLB required voters to click a link in an email for votes to be counted, most votes won’t be counted. It’s how emails tend to go... most of those emails MLB sends will not be opened.

MLB is in a tough spot. They can require email verification, but the end result will thousands of fans thinking that they've voted -- but their votes were never counted. Today, their votes will count, but the lack of email verification makes it easier for bad votes to get in.

This means that I could, say, use my wife’s email address to vote immediately after I vote with my email address. And both will be counted.

This might seem bad, but is it statistically significant? I doubt it. As soon as it becomes statistically significant, it will start to become a pattern that’s more apparent, which can then be scrubbed. That’s the thing you have to keep in mind about cheating and voting: As soon as you start to "stick out" from the norm, you run the risk of getting caught. (And you won’t know you’re caught and your votes are going to the trash.)

And speaking of scrubbing and emails... let’s say that you vote with a fake email. You know that "thank you" email you get from MLB later?

Scrubbed. It's very possible to know which email addresses fail.

Oh, and all of you that are using the gmail "+" email trick to vote repeatedly with a valid email?

Scrubbed.

￼

Or, that is... scrubbed if MLB notices it and scrubs it. For the third time, I have no affiliation with MLB, I’m just viewing this as an outsider and stating what I would do.

The Irony

The BYB calls this voting a farce, and heavily implies that MLB wants this controversy to get people talking and watching.

I find this ironic, as isn’t that what the BYB blog post is doing?

The title states "I hacked the MLB All-Star voting page in under 20 minutes." That title is what was shown on television. That title is what people click on to read.

Yet it’s that title that the author quickly backtracks from, stating that it’s not really a "hack" but an "exploit." But how was it exploited? No answer. Or if it is being exploited, to what degree? No answer, no facts. They’re just throwing out a bunch of accusations that most readers won’t be able to discern.

The Point

MLB has every bit of data they need to prevent problems with the voting.

Nobody has any evidence of hacking or invalid votes making it through to the final reported numbers.

Voting with valid emails you don’t own is possible, but nobody knows the impact that is having. But if some people are abusing that, they’ll start to look suspicious for any number of other reasons.

Any security failures would be equally exploitable by any fan of any team. Or should the national story be how KC fans are the best hackers in the country?

The simplest, most reasonable explanation for the KC votes is that KC fans have voted the most.