Cyber security fail lets bots hijack EU referendum petition

Written as editor of the New Statesman’s NS Tech and first published here.

The petition to force parliament to debate a second EU referendum, which has smashed previous records for number of signatures, has been hijacked by bots.

Although David Cameron has officially ruled out a second vote, millions have apparently flocked to sign the petition, which claims that if the “vote is less than 60 per cent based a turnout less than 75 per cent there should be another referendum”.

EU referendum petition

Although a quick inspection of the backend reveals some pretty far flung signatories, you are able to sign the petition anywhere in the world, as long as you are a British citizen.

All you need is an email address and a postcode, and no further checks are made to confirm you are who you say you are.

The platform doesn’t even offer an ‘are you human?’ captcha tool, the most basic method to fox online bots.

The House of Commons petitions committee has now confirmed it has removed 77,000 signatures and is “investigating”.

But posters to the 4chan message board are excitedly claiming responsibility for many, if not all, the signatures.

This adds yet more silliness to what was already a ridiculous petition.

For an added loony layer, it was revealed over the weekend the campaign was actually started by someone who wanted the UK to leave.

On the security flaws in the petitioning platform, Javvad Malik, security advocate at AlienVault, said:

“Bots come in various guises and can cause damage to a website or the integrity of its data via content theft, click fraud, traffic fraud, comment (or in this case petition) spam, server slowdowns and more.

“Any public-facing website, particularly sites such as online petitions which trigger actions when a certain number of signatures have been collected should have protection in place in order to safeguard the integrity and availability of its information with anti-bot and anti-DDoS measures amongst others.

“In order to protect against all bots, companies should deploy various detection techniques and be continually kept up to date to detect bot activity as soon as possible. Having a good source of threat intelligence can help identify and block bot-traffic early.”

Who said a referendum couldn’t be fun? Thank goodness for the internet!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s