I am disappointed by the lack of cheating going on here. Lets take a look at the API.

The Timer

The timer updates every second from a WebSocket at http://wss.redditmedia.com/thebutton. Example request:

GET /thebutton?h=ed063e9a771d65aed6b0f4318703e4b82f88d180&e=1428139324 HTTP/1.1
Host: wss.redditmedia.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Sec-WebSocket-Version: 13
Origin: http://www.reddit.com
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: rGANrUPLELtk1R9nedA8Ow==
Cookie: __cfduid=[REDACTED]
Connection: keep-alive, Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

The values of h and e are found in some javascript on this page: http://www.reddit.com/r/thebutton.

• e: Increases by a small number with every request. It probably tracks the total number of requests.
• h: 160 bits so it is probably an SHA1 hash.

Every second the server sends a JSON message that looks like this:

{"type": "ticking", "payload": {"participants_text": "542,525", "tick_mac": "0e28befde24a35bc8bac66c1f173694ac029d2c3", "seconds_left": 56.0, "now_str": "2015-04-03-09-42-03"}}

• type: There must be states other than "ticking".
• participants_text: Number of people that have pressed the button.
• seconds_left: Time left on the clock.
• now_str: The current time.
• tick_mac: 160 bits, probably an HMAC-SHA1 to prevent cheaters from sending fake clicks.

The Press

Button presses are sent as a POST request to http://reddit.com/api/press_button. Example request:

POST /api/press_button HTTP/1.1
Host: www.reddit.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.reddit.com/r/thebutton
Content-Length: 189
Cookie: __cfduid=[REDACTED]; loid=[REDACTED]; loidcreated=[REDACTED]; _ga=[REDACTED]; __utma=[REDACTED]; __utmb=[REDACTED]; __utmc=[REDACTED]; __utmz=[REDACTED]; _recentclicks2=[REDACTED]; reddit_session=[REDACTED]; __utmli=thebutton
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

seconds=56&prev_seconds=56&tick_time=2015-04-03-10-00-26&tick_mac=a07ca9a2909f4e0f513297589ec4bd345fee1e0f&r=thebutton&uh=[REDACTED]&renderstyle=html

• seconds: The time at which you pressed the button. Same as seconds_left from timer JSON.
• prev_seconds: ? Seems to always be the same as seconds.
• tick_time: Same as *now_str from timer JSON.
• tick_mac: Same as *tick_mac from timer JSON.

Experiments

• Change the seconds field without changing any other fields. I attempted this on this account. I changed the seconds from 55 to 1, and my time was recorded as 59 and I have the cheater flair.
• Send the seconds, prev_seconds, tick_time, and tick_mac from a tick that happened a while ago (at least an hour). This will not work if tick_time is used to limit the window that ticks can be claimed.
• Send the same seconds, prev_seconds, tick_time, and tick_mac from two accounts simultaneously. This will tell us if multiple people can claim the same time. My guess is that this will work. If this experiment and the previous experiment work, the clock only needs to reach 1 second once and everyone can claim that time.
• Guess the tick_mac algorithm. If the HMAC key is based on a low entropy pass phrase and the hash is not salted, this function can be brute forced. This attack is unlikely to succeed.