Login

TheHockeyist · 06-20-2020, 04:46 PM

E.g. 3on3, Primetime, etc.

If I wanted to be nefarious, I could wait for a user to post, and then go to the Google Form and submit a second response from my IP address overriding their original response (same username, etc.), making sure to post the same verification word.

I am not sure if there are checks in place against this type of attack (timestamps?), but the way things stand now, this is a very insecure way to go about things. Such an attack may not be discovered and a user may be incorrectly rewarded/punished.

How are these things actually checked to see if they are legitimate? I see this as being too easy to break. All you need is a verification word and you can use that against the user.

We need a better system.

***luke*** · 06-20-2020, 04:50 PM

the google forms are closed before the sim starts by hotdog im pretty sure. And if it is edited, it will show in the google sheets that it has been edited with your response

TheHockeyist · 06-20-2020, 04:53 PM

06-20-2020, 04:50 PMluketd Wrote: the google forms are closed before the sim starts by hotdog im pretty sure. And if it is edited, it will show in the google sheets that it has been edited with your response

Hmm. So if someone tried to be nefarious through this, I don't think it would work. If you didn't know how to edit your response and submitted a second one, would the second one be discarded to protect against that type of attack?

***luke*** · 06-20-2020, 04:54 PM

06-20-2020, 04:53 PMTheHockeyist Wrote:
06-20-2020, 04:50 PMluketd Wrote: the google forms are closed before the sim starts by hotdog im pretty sure. And if it is edited, it will show in the google sheets that it has been edited with your response
Hmm. So if someone tried to be nefarious through this, I don't think it would work. If you didn't know how to edit your response and submitted a second one, would the second one be discarded to protect against that type of attack?

in order to submit a second response you have to use a new google account, but we can easily matchup verficiation words to see if you actually submitted it

TheHockeyist · 06-20-2020, 04:57 PM

06-20-2020, 04:54 PMluketd Wrote:
06-20-2020, 04:53 PMTheHockeyist Wrote: Hmm. So if someone tried to be nefarious through this, I don't think it would work. If you didn't know how to edit your response and submitted a second one, would the second one be discarded to protect against that type of attack?

in order to submit a second response you have to use a new google account, but we can easily matchup verficiation words to see if you actually submitted it

Okay, so I'd just create something like ten thousand Google accounts and then wreck the entire SHL by imitating every verification word posted, one per account.

That would be bad. If I tried that for one user, could that even be discovered? I'm trying to see if there is a weakness that could be exploited against this method.

***luke*** · 06-20-2020, 05:00 PM

06-20-2020, 04:57 PMTheHockeyist Wrote:
06-20-2020, 04:54 PMluketd Wrote: in order to submit a second response you have to use a new google account, but we can easily matchup verficiation words to see if you actually submitted it
Okay, so I'd just create something like ten thousand Google accounts and then wreck the entire SHL by imitating every verification word posted, one per account.

That would be bad. If I tried that for one user, could that even be discovered? I'm trying to see if there is a weakness that could be exploited against this method.

so from our end, it would get discovered. Because of the verification word. Like unless you have control of that persons SHL account(which is illegal), lining up the Forms with the verification word would be hard, and it would just be easier just to submit the form itself because it takes 2 seconds to do so. So unless you tell the person to post a verification word right when they submit the form for them, then yeah it would probably go undetectable. but thats a lot more work than actually filling out the form.

TheHockeyist · 06-20-2020, 05:04 PM

06-20-2020, 05:00 PMluketd Wrote:
06-20-2020, 04:57 PMTheHockeyist Wrote: Okay, so I'd just create something like ten thousand Google accounts and then wreck the entire SHL by imitating every verification word posted, one per account.

That would be bad. If I tried that for one user, could that even be discovered? I'm trying to see if there is a weakness that could be exploited against this method.

so from our end, it would get discovered. Because of the verification word. Like unless you have control of that persons SHL account(which is illegal), lining up the Forms with the verification word would be hard, and it would just be easier just to submit the form itself because it takes 2 seconds to do so. So unless you tell the person to post a verification word right when they submit the form for them, then yeah it would probably go undetectable. but thats a lot more work than actually filling out the form.

So let's say X posts Verification_Word on the thread.

Not too long after that (within the next two minutes or so), I use a fake Google account, fill out the form, write in their username and write Verification_Word as the verification word.

How would that work out? Could that be discovered? This is the type of thing I think could be exploited.

***hotdog*** · 06-20-2020, 05:05 PM

many things here, with an overarching "why?" to all of it as well lol

1 - if you submitted another response with someone else's username, it wouldn't overwrite theirs unless you had their google login info, it'd just show up as a second entry with that person's username. even if you create the ten thousand accounts and do it for all of them. people have in the past submitted two responses (legitimately) - in those cases I reach out to the person that did it to let them know they submitted twice, and only their first response gets counted. even if someone took the time and effort to do this (why?) it wouldn't work.

2 - the 3on3 and primetime tasks are designed to be pretty even matchups, so even if someone did this (again, why?), the chances of changing it from a wrong answer to a right one are just as good as changing it from a right answer to a wrong one.

3 - if someone is caught trying these nefarious things HO would move pretty swiftly with the discipline, and I don't think the punishment for identity theft would be light.

bonus - next season, 3on3 and primetime are moving back off of google forms to an even easier system, though the longer tasks (predictions) will still use google forms.

***Wally*** · 06-20-2020, 05:17 PM

What did I just read. Only if the amount of time spent in this would be spent creating a modal that allows us to do this without leaving the site... thus using our logins and eliminating this thread altogether. Reading big words sucks on a Saturday.

***Wally*** · 06-20-2020, 05:19 PM

06-20-2020, 05:04 PMTheHockeyist Wrote:
06-20-2020, 05:00 PMluketd Wrote: so from our end, it would get discovered. Because of the verification word. Like unless you have control of that persons SHL account(which is illegal), lining up the Forms with the verification word would be hard, and it would just be easier just to submit the form itself because it takes 2 seconds to do so. So unless you tell the person to post a verification word right when they submit the form for them, then yeah it would probably go undetectable. but thats a lot more work than actually filling out the form.

So let's say X posts Verification_Word on the thread.

Not too long after that (within the next two minutes or so), I use a fake Google account, fill out the form, write in their username and write Verification_Word as the verification word.

How would that work out? Could that be discovered? This is the type of thing I think could be exploited.

IKEA should hire you to write instructional booklets.

***Wally*** · 06-20-2020, 05:33 PM

All I’m trying to say @TheHockeyist is that all we need is a simple modal that captures answers per our site login, stores it and then spits out results based on the game out comes. Trying to find a secure measure of an insecure form is counter-intuitive. So if you are trying to say do something different, I agree. If you are brainstorming fixes, well I can tell you about ten ways to prove more than just google forms could be exploited.

TheHockeyist · 06-20-2020, 05:37 PM

06-20-2020, 05:33 PMWally Wrote: All I’m trying to say @TheHockeyist is that all we need is a simple modal that captures answers per our site login, stores it and then spits out results based on the game out comes. Trying to find a secure measure of an insecure form is counter-intuitive. So if you are trying to say do something different, I agree. If you are brainstorming fixes, well I can tell you about ten ways to prove more than just google forms could be exploited.

Definitely. If we have programmers on the site, they should be getting ideas right about now.

***Wally*** · 06-20-2020, 05:42 PM

06-20-2020, 05:37 PMTheHockeyist Wrote:
06-20-2020, 05:33 PMWally Wrote: All I’m trying to say @TheHockeyist is that all we need is a simple modal that captures answers per our site login, stores it and then spits out results based on the game out comes. Trying to find a secure measure of an insecure form is counter-intuitive. So if you are trying to say do something different, I agree. If you are brainstorming fixes, well I can tell you about ten ways to prove more than just google forms could be exploited.

Definitely. If we have programmers on the site, they should be getting ideas right about now.

I mean most of us also program for a living as well. And like myself, well I have two jobs, two kids, a dog, a broke down truck and an ex-wife.

All true minus the dog and truck Smile

What I’m trying to say is that it takes time and planning with multiple databases involved.

PremierBromanov · 06-20-2020, 06:19 PM

I think the reason we don't use the site is that is tedious to collect answers via the forum.

As far as security goes, you're talking about robbing a gas station for 1 dollar. I guess you can do it, but the gain isn't worth it, and you'd be discovered easily.

As far as creating hundreds or thousands of accounts, then you're running the risk of breaking Google rules and identifying yourself that way. It might make like hard for the graders, but nothing that can't be easily solved. And again, to what end?

st4rface · 06-20-2020, 06:55 PM

They can probably see IP addresses aswell. At least they should, I think.

Navigation

Extra Menu

About us