Manufacturing the Hottest Empty Lot on Redfin

This is an empty lot that’s being sold on Redfin for $36,000.

Redfin is one of the most popular realty sites - it’s been around since 2004, has 2,000+ employees, and is publicly traded. It is amongst a very short list of sites that dominate real estate. Amongst the many affordances the platform provides to buyers and sellers, this online marketplace displays the number of visitors to a given listing, the number of times the listing has been favorited by users, and the number of times it has been X’ed out by users (indicating a negative favorite of sorts).

Additionally, certain properties can be labeled as a “Hot Home,” which in Redfin’s system indicates that it “is expected to be among the most competitive homes on the market, according to the proprietary Redfin Hot Homes algorithm”. Hot Homes are displayed prominently as such in search results on the platform, and while most Hot Homes are indicated as such the moment they are listed as active, “[a] home that is not designated a Hot Home on the day it hits the market may be designated a Hot Home by the algorithm if it gets a significant number of Redfin views, tours, or other indications of buyer interest while on the market.”

IPM sought to test the vulnerability of this affordance by attempting to send massive amounts of traffic to the listing. While we did not establish our single case as a Hot Home, we were able to send 115,000 visits to the property, confirm that the property reflected the 115,000 visits on the property page, generate a favorite on the page with an anonymous account, and confirm that at least in principle, if it is possible to force a non-Hot Home to become hot through post-listing traffic, IPM would be able to throw a sufficient if not necessary amount of traffic to any listing.

Initially, IPM assumed that Redfin would use sophisticated anti-bot systems in order to mitigate false traffic. As such we deployed our most sophisticated probe in the vulnerability engine, leveraging a network of residential proxy IPs to reach the site through selenium instances which directly attempt to obfuscate the fact that they are automated browsers. In such a setup, the cost of a single visit to the empty lot cost $0.045 per hit. We additionally tested a cheaper set of proxy IPs located in numerous data centers, which reduced the per-hit-cost to $0.015 - this also seemed to work. Ultimately, however, the vast majority of our visits were conducted with programmatic HTTP requests outside of any browser, which simply changed their User Agent randomly to popular, common User Agents. This form of circumvention is one of the simplest tools available to bad actors, and is easily defended against by forcing Javascript renderings of pages in order to access features of interest. Ultimately, this lowered the cost of attack to $0.00067 per hit.

By using the vulnerability engine, we were able to systematically walk through many common methods of attack available to bad actors, and work through the minimum viable version over the course of a single cup of coffee. Once we determined this to be our final cost, we deployed the test for a total cost to IPM of approximately $80.

Additionally, IPM found evidence of several easily exploitable patterns present on Redfin. Notably, there is no required account confirmation step when signing up - all that is required to create a “valid” account with which one can view and favorite any given property (and have those favorites publicly viewable to all other users) is a quick series of clicking and typing as shown below. Thus - for even modest operations, it’s quite easy to scale up mass viewing and favoriting of any arbitrary property on Redfin, which at best will indicate lots of activity to other users, but at worst may flip non-Hot Homes into hot homes. At a cost of tens of dollars, almost any tangible benefit either in higher sale price or faster closing time would likely make the large-scale deployment of such bad behavior more than pay for itself.