I was clapping my friend, Adrian’s blog post earlier today when I found out Medium limits you to 50 claps. My friend deserved far more praise than that, at least 51 claps.
Behind me were Adrian and Blake. Adrian asked, what if we modify the HTTP request. Brilliant! Right there and then, we knew we were onto something.
We analyzed the HTTP requests being sent when we clapped. It looked like Medium was sending changes to the number of claps rather than absolute values.
The first step was simply trying to send our own request. With the three of us giggling away, I fired up Postman and copied the request body in. “xsrf token missing”, we completely forgot about all the request headers. It’d be too much effort to company them from Safari to Postman manually.
At this point, Blake and Adrian started working through edge cases. What would happen if we sent more than 50 claps or negative numbers? Could we cause a value to overflow if we sent a really big number? How about alphabetical characters? Medium’s defenses seemed impenetrable.
Then we tried non-integers. At first, it seemed like nothing was happening and we nearly gave up. But as we kept throwing every number we could possibly think of at their API, something strange happened. After sending 0.2 and refreshing the page, my clap counter actually showed 10.2. It worked!
We hadn’t noticed it, but somewhere along the way, Adrian’s blog post went from 136 claps to 102. I had somehow given him negative claps. I began frantically trying to re-create the steps I had done. After a solid 20 minutes of trying every possible combination of numbers, we cracked the secret (which is a secret).
With the secret in our hands, I whipped out a simple script to repeat these steps over and over. We didn’t want to raise any alarms over at Medium so we added delays between subsequent loops.
Here’s to the next 12 hours of infinite claps before Medium shuts this party down!