Monthly Archives: September 2011
I am so evil… Whoahahahahaha…
Earlier today I sent out the following tweet:
So I fired up this old blog of mine to tell you why I just had to laugh:
Last night I was playing with the latest version of the popular Windows Phone 7 benchmarking app WP Bench, made by Robert Varga. Some time ago Robert added the ability to upload your benchmark results to his server and compare them with others.
However, WP Bench does not only publish the benchmarking results. It also publishes information about the phone models and the Windows Phone OS versions that are used. And these two lists have become an important source for people to scout for new Windows Phone models and OS versions. In fact, every new device/OS version that is listed in those stats is sure to get some headlines at popular news sites like WMPowerUser.com.
That’s when my evil plan starting taking shape. What if I could alter some of the data that WP Bench uploaded to its server and pretend I was using some new, unknown (and fake) Windows Phone model? Surely WP Bench had built in some mechanism that would prevent this, wouldn’t they? But I just had to try. Maybe it was possible to generate some buzz amongst the Windows Phone community and even get featured on some news sites…
First thing to do was to actually inspect what data and in what format is being sent back to the server. So I quickly hooked my Windows Phone to Fiddler, the popular HTTP debugging proxy. I started WP Bench on my phone and ran a simple speed test. I then uploaded the results to the WP Bench server.
The Fiddler Web Sessions list showed that benchmark results are uploaded to the server by using a single HTTP GET request that has all relevant result data specified as query string parameters, like this (I’ve removed my phone’s unique device ID from the URL):
What was even more interesting was that there didn’t seem to be any verification mechanism in place, to make sure this data wasn’t tampered with. No verification hashes or any of that kind. So this meant I could easily tamper with such a request and pass my own, fake, data.
I activated Fiddler’s Automatic Breakpoints feature, so it would intercept each request and allow me to edit it, before it was passed on to the WP Bench server. I again ran the WP Bench speed test and uploaded the results. This triggered the Fiddler breakpoint and I made the following changes to the request:
- I slightly changed the deviceID parameter, so the results wouldn’t be related to results I had previously uploaded using the same device.
- I changed the deviceName parameter from ‘7 Trophy T8686’ to ‘7 Mini T86861’.
The fun part of this was that I came up with the name ‘Mini’, because just days ago HTC had announced a new and very large Windows Phone device, called the ‘Titan’. I really didn’t know that HTC had actually once shipped a device called the ‘HD Mini’, which ran Windows Mobile 6.5. So I guess by accident this ‘Mini’ name added more credibility to my fake model name.
- I changed the OS version from ‘7.10.7712’ to ‘7.11.1131’, hoping that a previously unseen change from 7.10 to 7.11 would generate some buzz. Also, the 1131 part refers to the birthday of someone very close to me 🙂
I didn’t change any of the performance scores, but of course could have easily done so. After that I allowed Fiddler to send the altered request to WP Bench’s server and went to bed.
So today I visited WMPowerUser.com and sure enough there it was: a nice new article titled ‘HTC 7 Mini running OS 7.11.1131 shows up in WP Bench’. It talked about the fact that WP Bench stats showed this mysterious new model, the HTC 7 Mini, complete with a totally new OS version in the 7.11.xxxx range. There was talk about the fact that this could be the first evidence of Windows Phone Apollo running on a handset. It was also mentioned by many other news sites and of course there was some buzz on Twitter.
So that’s how easy it was to create some fake Windows Phone news. Just to be clear: as far as I know the HTC 7 Mini does NOT exist. Also there is no Windows Phone OS version 7.11.1131 (yet…). It was all made up by me. Whoahahahahaha…
Lastly, as a suggestion to WP Bench’s creator Robert Varga, I would advice him to add some sort of protection scheme, so that uploaded WP Bench results cannot easily be tampered with. I also wouldn’t list a new device/model in the WP Bench stats, unless it has been seen more than once, preferably with result uploads coming from a variety of IP addresses. Remember it took only one little request to get my fake phone to show up in the WP Bench stats.
Update: It appears Surur from WMPowerUser.com wasn’t happy about this and has banned me from posting comments to WMPowerUser. This is a JOKE, guys! Why so serious… !?
Update 2: WMPowerUser.com today has posted an article about another new phone. This one is probably legit, but notice the screenshot that accompanies the article. There is a device called ‘NA NA’ in the list. I know for sure that device was already present before I conducted my little experiment. So I have a strong feeling I wasn’t the first to submit fake data to WP Bench…