I wasn't trying to change the world, I just didn't want to spend 30 minutes per signup
The Setup
I was a campus partner for Perplexity which means every signup is 15$ in my pocket, as a student this sounds great all I have to do is pitch to students about free AI tool that will help them study.
The Problem
Well, it sounds great until you realize you have to earn their trust, explain why it’s a good deal, show them how to use it, and hopefully convince them to let you sign them up.
- You need their student email, and most students don’t really understand how referrals work, so they’re hesitant to share it.
- Then you have to download the Comet browser by Perplexity, and let’s be honest, that looks a little sketchy to most people.
If everything goes perfectly, you’ve just spent about 30 minutes signing up one person.
It’s not difficult work, but it’s slow work and that’s what made me want to find a better way.
The Real Motivation
I wanted students to have free access to the latest and best AI tools out there.
If you actually believed that, stop reading.
I just wanted more money in my pocket and less time wasted. So I asked myself what really happens behind the scenes and how do referrals work?
Reverse Engineering the Process
First thing I did was peek at the network activity to see how the signup flow behaved. I booted up Burp Suite, grabbed an ice cold Coke, and started taking notes.
Here is the high-level checklist you need to cover for the referral to register:
- Click referral link
- Sign in with student email
- Download Comet
- Prompt Comet once
Step 1: Referral Link Observation
I started by trying to understand what the referral link was actually doing. Nothing complicated. I clicked the link with Burp Suite running and scrolled through all the HTTPS requests it captured.
What I was looking for was basically the “referral fingerprint.” Something that only appears when you come in through a partner link.
After checking a bunch of requests, one thing stood out: the dub-id.
When I opened the request up, I noticed something interesting. The dub-id and the click-id were the exact same value. Different labels, same number. That immediately told me this was important.
This is clearly the ID that connects the user to the partner who referred them.
So I saved it and kept tracking where it showed up next.
That was all I needed for Step 1.
Find the ID that marks the beginning of the referral flow and hold onto it.
Step 2: Sign in w/Student Email
Next I wanted to understand what actually happens when you sign in with a student email. The first thing that showed up in Burp Suite was a CSRF token the moment the sign-in page loaded. Since it appeared before anything else, I wrote it down as something the backend clearly expects.
After that, the OTP flow kicked in. This is the part that verifies the email and marks the user as authenticated. Watching the network requests before and after the OTP made it pretty obvious what changed and what the system used to confirm the login.
Then I tried sending the sign-in request through my script:
Once the email and OTP were confirmed, the session switched into a logged-in state. At that point I basically had everything I needed from the authentication part in order to continue understanding the referral flow.
emailSigninRequest = session.post(
"https://www.perplexity.ai/xxx/xxx/xxx/xxx",
data={
"email": userMail,
"callbackUrl": "https://www.perplexity.ai/xxxxxxxxxx",
"redirect": "false",
"useNumericOtp": "true",
"csrfToken": session.cookies.get("next-auth.csrf-token").split("%7C", 1)[0],
"json": "true",
}
)
now we successfully logged in with a student email and have all the information we need to simulate the referral attributes.
Step 3: Download Comet
Now I needed to understand what happens when you download Comet. After signing in and completing the OTP step, the system redirects you to a link that triggers the Comet installer. That redirect is basically the signal the backend uses to register that the user downloaded the browser.
So in my script, I just followed that redirect. Even without actually installing anything, hitting that link counted as the download event on the backend.
Step 4: Prompt Comet
This part was honestly the most annoying. Comet is a full desktop app, not a website, so I couldn’t just open DevTools and see what was going on. I had to proxy my whole system through Burp Suite just to catch its traffic.
Once I did that, I finally saw what Comet sends when you open it and when you ask it something. That was the missing piece. The system expects the user to actually do one prompt after downloading, so I needed a way to trigger that same kind of activity.
The logic I used was pretty straightforward. Comet always shows a bunch of suggested questions when it loads, so I took that idea and just picked one suggestion at random. I also made a bunch of simple question patterns like “what is {query}” or “explain {query}” or “tell me about {query}.” Then I let the script grab a suggestion, grab a pattern, combine them, and send it.
Nothing smart, nothing magical. It just ends up looking like a new user asking the AI something completely normal. That one prompt is what satisfies the last part of the referral flow.
That was it. Download done, prompt done, referral counted. Whole thing took around ten seconds.
It Wasn't Enough for Me
After using the script for a day or two, I realized I really hated carrying my laptop everywhere. It felt slow, heavy, and honestly just annoying to pull out every time someone said “yeah sure, sign me up.”
So I did the next obvious thing.
I installed Termux on my Samsung S24, set up a PRoot Ubuntu 22.04 environment with everything I needed, and moved the whole workflow to my phone. That was it. Now I could walk around campus with just my phone and run everything on the spot.
By the end of the week, I had over 100 signups just from doing it this way.
The Downfall
Everything was going great. I was signing people up all day because it was fast and easy and I didn’t really have to think about it anymore. But then I had a thought I probably shouldn’t have had.
What if I could sign up non-educational emails?
So of course I tried it. And it worked. I was honestly surprised. I expected the system to block it right away, but it didn’t. I tried again with a Gmail address. Then with an Outlook address. Same result. And yes, the commission kept going up.
At that point I knew it was only a matter of time before something flagged. I wasn’t supposed to be able to do that and I knew it. Two weeks later, I woke up to an email saying I was removed from the Perplexity Partner Campaign.
I was a bit disappointed, but I also remembered the FAFO scale. It could have ended in a much worse way, so honestly I got off pretty lightly.
The FAFO Scale
If you don’t know it, FAFO stands for “Fuck Around and Find Out.” It’s the universal rule of curiosity and consequences. The more you experiment, the closer you get to the part where the system pushes back.
That’s what happened to me. I tested something I shouldn’t have, and I found out. The ban was the natural ending of the experiment, and honestly, I respected it. It proved that Perplexity’s systems catch behavior outside the rules eventually.
It also reminded me that curiosity and consequences are two sides of the same coin. You just have to be okay with whichever one shows up first.
Top comments (0)