Why I am willing to forfeit my apps from the Asia’s Top 50 Apps Award [UPDATED]
A few days ago, Singtel and e27 announced the 2011 edition of Asia’s Top 50 Apps Award. As a independent developer in the region, I decided to submit my main two apps, Muslim Pro and Frenzapp. While trying to include a small “vote” button on my various websites in order to maximize the visibility of my apps, I came across a security hole in the voting system. I could easily have kept it for myself and exploit it to promote my two apps to the top of the leader-board by the end of the contest. It was of course not an option and I quickly, via an email to e27 as well as a public tweet, disclose the hack and warned the community that the vote was at risk of being biased if the organisers did not address the issue quickly. Here is the rest of the story and why I offered to forfeit my apps…
[UPDATE] read the comments, I actually did confirm my request to boycot the contest by removing my app
Apart from a few other developers and users who confirmed the hack and retweeted my post, I did not receive any reply of any sort by the organisers, who by the way, decided not to fix the issue. They instead posted a long message on their blog today addressing the issue. You can read the full story here but here is the excerpt that was just too much for me to read:
Yes, like one of the nominees said, you can take the URL of your app’s voting button and use curl or wget to call it however many times you want to up your vote. Go ahead, do it. We probably won’t find out. Keep it up, kudos to you. You’ll probably end up on the top of the list and be awarded the People’s Choice Award. We’ll hand you your trophy and you can hug it to sleep every night.
And here is my reaction to them, which I also posted as a comment on their blog:
As I recognize myself (@erwanmace on Twitter) in your…
Yes, like one of the nominees said, you can take the URL of your app’s voting button and use curl or wget to call it however many times you want to up your vote. Go ahead, do it
… I thought I’d react here to the two issues your post is addressing:
1. yes it is all about the community and Singapore needs to build not only a strong community but a solid ecosystem if we want to start seeing successful services and applications emerge out of our little island. Regarding Found, it is clearly a pity that most comments on the Found post were direct critics towards the founders rather than constructive comments to help them improve an app in which they’ve invested tremendous time, sweat and efforts over the past 2-3 years.
2. regarding the Top 50 apps competition and the security hole that I disclosed this morning. I have been very disappointed by the lack of reaction and replies on twitter despite my many warnings. I am even more surprised by your post and your “Go ahead, do it” which I can only hope is not addressed to me. If I had wanted to exploit that security hole, the last think I would have done was to disclose it. I would also have added tens or hundreds of votes to my apps rather than the 2 required to show you the trick. But you failed to realize that it is also in the interest of the community that, if a voting system is implemented, the community of developers and users can feel confident that the vote and the people choice award will be an accurate representation of their vote, a true representation of the app that actual users believe is most useful to the various communities in Asia.
There is no shame to face and recognise a security issue, the least you could have done was:
- show some gratitude and thank the honesty of the person (me in this case) who revealed it and who would have helped you fix it (freely, for the sake of the community)
- cancel the vote and the people choice award, or reset the counters after fixing the bug.
Since none of the above has been observed, and whether or not some developers have already abused that trick, the trust in your award has been broken. Unless you decide to address the situation properly, I would kindly request you to resign my two apps (Frenzapp and Muslim Pro) from your contest.