First, I know that this may seem like a click-bait title, but let me finish. And yes, it is true. This system works on at least four platforms (which I won’t be naming for obvious reasons). And no, I did not hack YouTube in any way or use any special privileges or tools. All I use was a low-skill attack and the browser’s dev tools. The method was easy to develop, test and it worked well. Also, as a note, I did not use it for fraudulent purposes and the owners of the sites were notified of the problem.
You can buy YouTube Likes and Subscribers
If you do not know already, you can buy video likes and subscribers to your YouTube channel. These are low-quality ones, with close to 0 coming back or actually being interested in your content (if you choose to go this route) and almost all views have less than 15 seconds of video playback. Furthermore, it may get your channel suspended, especially if you are monetizing it.
Still, there are many platforms out there that will gladly sell you subscribers for less than 10 cents per person. Views on any of your videos are even cheaper. This may help a channel that is starting to get some exposure and make it reach trending in certain regions, so many people use such services. Furthermore, most such services have a “free” tier where you get “credits” on the platform by watching and/or subscribing to other people.
So, you like a video, you get 1 credit. You subscribe to a channel, you get 2 credits. Next, you use those hard-earned credits to buy likes and subs for your own channel. The platform opens the video or channel in a window, you do the needed action, press a button to get verified, and move to the next… until you have enough credits to get the “attention” needed for your own channel. Is everything clear?
Always do server-side validation
I have an article about server-side validation. Always do server-side validation is a must for any platform, especially when this service is freely available on the internet. When I wrote that article I knew that there are many platforms that fail to properly validate the inputs and take for granted what is received from the client. It was just a matter of finding one and figuring out exactly what it does not check properly.
And I found more than one in this “Buy YouTube likes” category. Some of the faults are not necessary on the platform’s side. Because it can be tricky or costly to validate that a certain user is indeed subscribed to a specified channel or that he indeed likes a certain video, all these platforms trick you into believing that they do the check all the time. Some of them don’t check anything and just show you a fancy animation or text for a few seconds, others do only partial checks or once every second or third video that you are shown.
Still, you have to click many buttons, spend time on your PC and do manual and tidies labor for just a few video likes. Maybe you should spend that time on actually making good videos? However, the software engineer in me saw an opportunity to cheat the system. Knowing that not all actions are checked if completed, I went ahead to try and find a way to automate this with ease.
Platform 1: Get credits for liking and subscribing
The first platform lets you receive credits for each like and subscribe you make on the provided video. You press a button to open the video in a pop-up, like and/or subscribe to the channel, return to the platform, and press the verify button. You get the credits and the next video. The interface was similar to the one below.
So, the first attack was easy. Instead of me clicking the buttons, I opened the developer console and wrote a few lines of javascript that repeated the button clicking, with a delay between actions. Now, the platform had a “debugger” placed on repeat in the code so that the site will pause if dev tools are opened, but this can be easily turned off with just the press of a button. The delay was needed because there was indeed a check that a new video was not requested too often. Just 1.5s did the trick. 🙂
After this worked, I discovered another flaw. I discovered that all actions that were started by the user are validated when the “Verify” button is pressed. So, instead of pressing the “Verify” button each time, I simply repeated the “Like” or “Subscribe” several times (with a 1.5s delay) and after a certain number of repeats, do the final verification call. Worked like a charm! I could do this because the next video was requested when the “Like” button was pressed, NOT for the “Verify” one.
Furthermore, I made this in Incognito mode of the browser without actually being logged into YouTube, so my views won’t even show up on my account. This way I was also sure that no checks are made since I was actually shown the “Privacy Policy” page instead of the actual video. Also, the script is really easy:
function openYT(count) {
$("#actionbtn").click(); // Find the action button and click it
if (count < 30) { // repeat this 30 times. I chose 30 just so it will stop faster.
setTimeout(function () {
openYT(count+1); // repeat it a few times
}, 1500); // 1.5s delay, since the platform does actually check that we are not doing it too fast
} else {
setTimeout(function () {
$("#verifybtn").click(); // if we clicked the action button enough times, press the verify button
console.log("done");
}, 1500); // another delay so that the last action is properly registered by the system
}
}Platform 2: Like and subscribe every 12 hours
The second platform had a different approach. Every 12 hours you could activate a “free” plan that gets you 5 subscribers. However, to activate it, you first have to like and subscribe to 7 other videos/channels. The platform had a similar interface to the first one, but operated in a completely different way. The same two buttons were present, but the “Verify” one was inactive. What would happen is that when you pressed the “Like” button, the video would open in a pop-up and a timer would start. After 20 seconds, the “Verify” button was activated. Clicking it would trigger a verification that lasted 15 seconds. After that, you would receive the credits and the page refreshed for another video.
Too much waiting. There has to be an easier way. Investigating the code I saw that there was no check actually being done. When the “Verify” button was pressed, a text was displayed and a timer for exactly 15 seconds was started. After those 15 seconds passed, an AJAX POST request was made with the video ID and the channel ID. The number of subscribers was also sent, but that was always hard-coded to the exact same value.
Obviously, I tried to send the request by hand, but that did not work. At least some checks are also made on the backend. But not enough.
Using Javascript, I extracted the video ID and the channel ID from within the page’s source code. After that, I just replicated the AJAX call using JavaScript to send the request. No waiting, no timers, and all checks were bypassed since they were done on the client-side only. All, from within the browser’s dev tools console. The code looks similar to the one below.
function sendRequest() {
var channelStr="<string where the channel ID is>";
var videoIdStr="<string where the video ID is>";
var subscribers = "000000000";
var pageContent = document.documentElement.innerHTML;
var channel = pageContent.substring(pageContent.indexOf(channelStr) + channelStr.length + 1).substring(0, 24);
var videoId = pageContent.substring(pageContent.indexOf(videoIdStr) + videoIdStr.length + 1).substring(0, 11);
$.ajax({
type: "POST",
url: "https://www.<website-address>.com/like-completed.php",
dataType: "json",
data: "subscribers=" + subscribers + "&channel=" + channel + "&videoId=" + videoId,
success: function (msg) {
if (msg.status === "success") {
console.log("success");
refreshPage(); // method from the site that refreshed the page
} else if (msg.status === "activated") {
console.log("active");
refreshPage(); // method from the site that refreshed the page
} else if (msg.status === "error") {
$("#Error").html('YouTube says you did not like or subscribe.');
console.log("error", msg);
refreshPage(); // method from the site that refreshed the page
}
}
});
}Things are even worse (or better for me) actually. Remember that I said that you only get 5 likes/subscribers every 12 hours? The website gives you 7 videos you have to watch and after all 7 are done, it starts an internal timer until you can watch again. It also increases the number of internal credits for your channel. Now, I don’t know exactly how it is done, since I don’t have access to the code, but I assume it is something like this (simplified version):
/**
* Start the Free plan for the provided channel ID
**/
public void startFreePlan(String channelId) {
ChannelDO channel = channelDao.findById(channelId);
Calendar cal = Calendar.getInstance();
cal.add(Calendar.HOUR, 12);
channel.setNextFreePlanStart(cal.getTime());
channel.setCredits(5);
channelDao.save(channel);
}How do I know that it works like this? Because of the second vulnerability in the platform. After the free plan gets activated because I liked all the 7 videos it asked me to (well… tricked it to believe that I did), I am redirected to a page where there is a countdown until I can activate it again. Now, if I manually enter the URL for the page where I can like a video again, it is still there and the buttons are there, working as they worked before.
Using the same script from above, I trick the platform into thinking that I followed the channel. Now, when I go back to that timer, it was reset back to 12 hours. This means that I can come back after 30 minutes (or how long it takes for my credits to get consumed) and run the script again to re-activate my free plan. Even better, the number of videos that I have to interact with was NOT yet reset back to 7. Only 1 (one) execution of the script reactivated the free plan all over again, so I got 5 more subscribers for just 1 more interaction.
Other considerations
I won’t go into the moral implications of buying likes and subscribers for YouTube. I won’t even talk about the feasibility of these platforms and if they can indeed increase your channel’s visibility. However, these platforms charge real money for what is essentially snake oil. They don’t do any checks (or very few) and you can get the same results from them without paying.
Maybe there are a few legit services out there that actually deliver and that truly validate the actions, but the 5 that I tested had these vulnerabilities. Furthermore, 4 of them looked almost identical and had almost the same code, so I am certain that it was a ready-made script that was sold to multiple people that started similar services, without actually knowing how they work and what they do.
I did not try to get any escalated privileges to modify the number of credits I got or used any injection mechanisms to alter the database in any way. I made the same interactions as a normal user would, but sped them up using simple mechanics that can be done without any specialized tools.
All subscribers and video likes were on a test channel of mine and stopped when I got 100 subscribers. After a day, the number of subscribers fell to around 70 and after a couple more days, 90% of the subscribers disappeared, most probably because YouTube’s algorithm detected that those subscribers did not actually watch any videos. The likes received on the videos remained. I wanted to reach 100 just to know for sure that the attacks work and the platforms deliver after they have been tricked into doing so.
The scrips presented here were slightly modified for clarity and to obfuscate the platform they were used on. They won’t work ‘as-is’ even if there are still websites affected.
Conclusions
I won’t draw any conclusions on the actual implications of buying subscribers. It is still up to you if such services are worth paying for or spending time for the free plans. However, if anyone who reads this works as a back-end developer, make sure that you always validate the inputs.
Never assume that the required time has passed just because there was a timer on the front-end side. Always check that all required actions have actually been done. Include a CSRF Token for any forms or a way to validate that the request is unique. Validate input data and act accordingly, even if checks were already done on the client. These are easy to trick.
Source link
