Trillion Clicks

[DoPo]

I would like to point out, though, that what clicking the button seems to do is just issue a GET request, so it's possible that one can bring down the time drastically by just manually issuing the requests (as opposed to using JavaScript in the browser). I can't be bothered to check, however.

setInterval(function() {$.get(location+"insert", 100)});

Works just as well, so yes you could most certainly fire off requests however you like, although theoretically they could have a check that you're coming from the right place, not bothering with that.

It works, but you'll notice not all of them are registered. As I mentioned, actually.

 

[Jadak]

It works, but you'll notice not all of them are registered. As I mentioned, actually.

Nope, not even close. The change in interval time in my example was just for the hell of it, not trying to argue that I could make it go faster The limit you mentioned of about 4 per second seems to be about what I'm getting as well.

 

[DoPo]

It works, but you'll notice not all of them are registered. As I mentioned, actually.

Nope, not even close. The change in interval time in my example was just for the hell of it, not trying to argue that I could make it go faster The limit you mentioned of about 4 per second seems to be about what I'm getting as well.

Well, if you're interested, I did some more testing last night and this morning. It appears that the site actually just counts any requests to that /insert page. Therefore, the discrepancy of the counter being updated about 4 times a second at most seems to be just the limit of how fast it can process a request from JS. I did try to just use a static tool to issue a request to the page - I did wget and...it actually incremented the counter, too. I was surprised. I mean, it was really easy to fake the clicks to begin with but I assumed the page at least looked at the cookies (more on this in a moment) or something but...nope. Apparently not. As a test I even did a simple script that called the page several times

Spoiler: Seriously - that was it

#!/bin/bash

for i in {1..10}
do
        wget  -bq -O /dev/null http://www.trillionclicks.com/insert
done

an explanation just in case - calls the wget 10 times, and the flags it sets are
-q - don't have any output - I don't care about it (it normally it shows performance information like how long it took to download something).
-b - work in the background - so essentially, the script launches 10 simultaneous requests not the first then wait until gets resolved, then the seconds, wait, etc
-O /dev/null - since wget actually downloads the page, I had it discard the downloaded file.

and voila - counter got updated. As a side note - I know it got updated, since this morning nobody was clicking the thing at one point - the counter wasn't being updated by the heartbeat. So I tried wget and then immediately got an update - tried several at once and got the same thing.

As for the cookies...well, I noticed that with the request you have when you click the button it sends three cookies - one is just Google Analytics stuff, another is some...weird hashed value that I have no clue what it does (as it seems it isn't checked for validity or anything) and it also sends your current click counter value. What you get back is the total count of clicks in the response body and a cookie with your updated number of clicks (so if your click counter was 10, you get 11 back). For fun, I captured the request sent and changed the click count I sent to add about 10 000 more. I got back my new faked value plus one. When I refreshed, the counter shown on the website was changed to the fictitious value.

So, in second conclusion - I have no clue what that site is about. It seems terribly easy to spoof on many levels, I even found the JavaScript for it (I assumed it would be, like, minified or something, maybe have everything in a single file, at least, or some obfuscation, but nope) and it doesn't look terribly professional.

Spoiler: Here is an example

$("#butt").click(function() {
		/* var textBox = document.getElementById("DisplayCounter");
		//textBox=textBox.replace(/\ /g,"");
		
		var CurrentValue= parseInt(textBox.value, 10) +1;
		
		//var Result=Formating(CurrentValue);
		$("#DisplayCounter").css("color","#333333");
		textBox.value=CurrentValue; 
		
		//textBox.value++;
		
		*/
		

		
		clock.increment();

		// Or you could decrease the clock
		// clock.decrement();

		// Or set it to a specific value
		//clock.setValue();
	
});

I've removed part of the code to just concentrate on this - there is a big block of code that is just commented out. Presumably it's because it is replaced with a single line - that clock.increment(); (as a side note, for anybody curious, what this does is increment the local click counter that is left of the button). So not only did they switch to using another library without cleaning up, but also the code it's replaced with, along with the following two commented lines (with the comments) seem to be copy/pasted from the tutorial of the clock library. Fuck it - I just checked and what do you know - this is actually what happened [https://github.com/objectivehtml/FlipClock/blob/master/examples/simple-counter.html].

Again, I'm just puzzled.