How to Eat Dinner with Barack Obama
When I was a kid, my favorite TV show was The Simpsons1. During the commercial breaks I often saw ads for contests associated with some product, i.e. “Mail in the box top from your bran flakes to be entered in our $10,000 sweepstakes!” While the ads avoided running afoul of any illegal lottery rules by including a “no purchase necessary” clause in the fine print at the end, the hope was that you buy more of their product to be entered in the sweepstakes.
The Obama campaign did something similar during the 2012 election. They ran several “Dinner with Barack” sweepstakes, where entrants could win a personal dinner with President Obama. For every donation you made to the campaign, you were automatically entered into the sweepstakes. At the bottom of the donation page was the familiar “no purchase necessary” fine print, along with a link to enter the competition without donating. I entered myself a few times (who wouldn’t want a chance to speak directly to the President?), tediously reentering the information and submitting the form each time. As I did so I thought, “Why don’t I write a program to do this for me?”
Once I had the idea, I immediately noticed that there was a no CAPTCHA or any other method of preventing a bot from submitting the form. This meant I could write a 20 line Python script to fill out all of the form fields and use a POST request to submit it2. The Obama campaign would obviously be suspicious if the same person or IP address submitted 20 million forms in one second, but the script could be throttled to submit less often, perhaps once every ten seconds. Since these sweepstakes were usually announced about two weeks before the deadline, I could generate:
1 submission per 10 seconds = 6 submissions per minute= 360 submissions per hour =8640 submissions per day = 120,960 submissions in two weeks.
There were several of these competitions, so it’s possible that among them all I could have entered a million times (and perhaps even more, depending on how much script throttling is necessary to avoid detection). And if I could get several computers with different IP addresses submitting entries at the same time, my total entries could be on the order of tens of millions3.
Would this have worked? Although it would have been a lot of fun to try this out, I never implemented the script because of ethical concerns4, and I kept it to myself so others wouldn’t try to use it as well. When I read through the official rules and all the fine print, I found no prohibition against using an automated system. Given that the campaign staff had far more pressing concerns, they may have overlooked this simple exploit. But that is still surprising considering the Obama campaign’s reputation for technical prowess. Perhaps I should tell the President about this over dinner.
1 The Simpsons isn’t designed with kids in mind, but the show’s clever wit and gentle satire really resonated with me. As a longtime fan it saddens me to see the show steadily go downhill. The best season was undoubtedly season five, which came out in 1993 (the year I was born!).
2 Writing the script would have taken no more than an hour.
3 To further avoid detection, each instance of the script enter slightly different information, like “Gautam Narula”, “Gautam R Narula” “G. Narula” and multiple (valid) email and mailing addresses.
4 It probably wasn’t illegal, but this exploit definitely exists in the gray area which hackers (in the programming sense of the word, not the steal-your-identity Hollywood usage of the word) spend much of their time in. I felt it was against the spirit of the competition to use a bot to enter myself hundreds of thousands of times in the competition. Then again, maybe that’s why I never ate dinner with President Obama.