A simple way to get accurate votes for CU Athletic’s award show
In 2024, as a president of the Student Athletic Advisory Committee (SAAC) I was in charge with organizing many aspects of the CU Sports Person of the Year Awards (CUSPYS). One of those aspects was voting for moment of the year. Moment of the year is unique in that unlike the other awards, the winner is decided by popular vote at the CUSPYS event itself rather than ahead of time. I decided I would take up creating the voting system for Moment of the year using HTML/CSS and JavaScript with a Node.js backend.
Previous Voter Fraud
Previously, there were issues where athletes would vote multiple times for the winner. At other times, the voting system was set up in a way that made it difficult for athletes to vote due to a login.
My solution: Security through feigning obliviousness
While designing the system I needed a way to ensure that athletes could not vote twice while at the same time keeping it easy to vote. I did not want to make a login as it would have taken up too much time for athletes to login and they may not know credentials. Instead, I tracked voting records through using browser cookies on the user’s device. When a user would vote a cookie would be saved on their device that they had already voted. This would make it so that the server would know if a user submitting the form had already voted.
However, the cookie technique has a problem. A user can simply open up a private browser tab or clear their cookies to vote again. So I came up with an idea: What if I gave no indication that I was keeping track of who voted? To do this, I intentionally made it so that the submission success page gave no indication as to whether or not a person was voting their first time or their 15th time. From an individual wishing to vote multiple time’s perspective, it would look like voting multiple times would be as simple as resubmitting the form over and over again despite only their first vote being recorded on the server. In a sense, I was feigning not being aware of a potential security design flaw to encourage attackers to attack in a way that I did indeed secure as opposed to using other methods.
Wrap up
In the end, the method I picked to secure the voting system worked seemingly flawlessly. We were able to see the winner of the Moment of the Year being the Ski Team winning the National Championships!