I have a voting app built on PHP that takes Facebook logins (uses PHP SDK). You need to connect with your Facebook account to vote. We decided to use Facebook logins to prevent vote frauds.
After logging in with the Facebook account, this is what happens:
- The login page has the hidden variables- userId, accessToken, name, email, gender, location, hometown, and link to the user profile - all of which are returned from the Facebook login.
- The user chooses an option in the poll and then the app records his choice along with his identification details (listed in the first point).
Now, here lies the problem. I can simulate an HTTP request with fake identification details and the app still thinks it's a legitimate request and so, records the vote. So, someone can set up a script to generate random identification details, send them over HTTP requests ultimately leading to a lot of fraud votes.
Maybe, after the poll closes, we can test with the profile URLs to see whether the profiles exist or not but again, two issues here:
- The intruder may use a list of valid user profile urls to create the fraud votes. If he does, we have no idea to find whether the vote was fraud or not.
- Isn't it a better idea to prevent fraud votes than sort out later?
So, is there a way to allow only legitimate logins through the app? Something like a test before recording the vote.
I guess, a CAPTCHA can help but that will interfere with a quick vote experience we want our users to have.
Thank You!
