See it here

I was clapping my friend, Adrian’s blog post earlier today when I found out Medium limits you to 50 claps. My friend deserved far more praise than that, at least 51 claps.

Behind me were Adrian and Blake. Adrian asked, what if we modify the HTTP request. Brilliant! Right there and then, we knew we were onto something.

We analyzed the HTTP requests being sent when we clapped. It looked like Medium was sending changes to the number of claps rather than absolute values.

Please don’t steal my userId

The first step was simply trying to send our own request. With the three of us giggling away, I fired up Postman and copied the request body in. “xsrf token missing”, we completely forgot about all the request headers. It’d be too much effort to company them from Safari to Postman manually.

Real engineers use Chrome, which has this handy little feature that generates a JavaScript fetch function (sends an HTTP request) based off a past HTTP request. After clapping once, we generated our fetch function and executed that. It worked!

At this point, Blake and Adrian started working through edge cases. What would happen if we sent more than 50 claps or negative numbers? Could we cause a value to overflow if we sent a really big number? How about alphabetical characters? Medium’s defenses seemed impenetrable.

Then we tried non-integers. At first, it seemed like nothing was happening and we nearly gave up. But as we kept throwing every number we could possibly think of at their API, something strange happened. After sending 0.2 and refreshing the page, my clap counter actually showed 10.2. It worked!

We hadn’t noticed it, but somewhere along the way, Adrian’s blog post went from 136 claps to 102. I had somehow given him negative claps. I began frantically trying to re-create the steps I had done. After a solid 20 minutes of trying every possible combination of numbers, we cracked the secret (which is a secret).

With the secret in our hands, I whipped out a simple script to repeat these steps over and over. We didn’t want to raise any alarms over at Medium so we added delays between subsequent loops.

Here’s to the next 12 hours of infinite claps before Medium shuts this party down!

A realistic depiction of Blake, Adrian, and I