IF YOU GOT SCAMMED BY THIS, PLEASE READ ME :) 1. Before changing your password, delete the scam bookmark. 2. Then once you do that, change your password.
I'm honestly surprised that people are managing to do this. Most people that try to verify in a server can't even follow instructions to verify by clicking an emoji or copy paste a certain command
ikr? On my MC server, people kept struggling with the verification/discord linking. it literally says in-game "click *here* to get your code" (here being red and underlined), it's written into your chat to copy paste into Discord. nope, too difficult. some people are dumb.
Because their employees are entirely incompetent. Discord support is almost non existant, and when you do get a reply it's some half assed copy pasted crap.
@@stars227 Yep, exactly. And the only features they work on are the ones people aren't asking for. I had full access to my account, but needed them to change my email address because it was no longer accessible, and they told me to create a new Discord account. Their support is useless.
I dont know what discord employees you guys are emailing, but back when i got hacked they replied back in two days and disabled the 2-factor authentication the hacker set up on both of my accounts (yes i got hacked on 2 accounts. Im a bit stupid)
Also of note: _Reauthorise YAGPDB if you have it..._ it doesn't actually make use of the *Join Servers for you* permission, and it's been removed from its default scope for a while now... 😅
I deobfed and reverse-engineered the script, and here's what I found: - The JSFuck portion of the code evaluates to "fortniteamongustycoonlol" (from a base-64 decode.) - The RE protection is more clever than one might think; the globals array is mutated until a specific alignment is reached. - The script registers its own module into Discord to access other modules. - The script can detect said module if the code has already been run. - jesus fuck it was annoying to reverse-engineer
So basically. A basic feature on most browser rats them out? That's kinda cool. Imagine being a hacker/scammer and you got ratted out by a simple function like hovering over a bookmark.
4:35 yes it is possible actually, honestly it's very likely to happen considering fact you won't even realize what thing added you to some weird server BUT that's very much all they can do by authorizing you to their app (again, only by authorizing you, of course they can do everything when they have your token)
I think the tokens are fine, but only if they are wholly unique per device. If the same token shows up on two devices, the system should immediately deauthorize it.
@@mallusrgreat thats not what they mean its per device so each device has a different token and if one is stolen off one device you would then have to relog in because the token was stolen on that device.
I think they WOULD want your account. Seems like you have so very valuable information on how to get a girlfriend. Those scammers will need it to actually get a girlfriend.
This scam exploits the fact that if you put "javascript: (code here)" into a URL bar in a browser, it executes the code on the current website. You can try it here on TH-cam, actually! Try copying: "javascript: alert('Hello, World')" into your browser bar (without the double quotes). It'll create an alert popup. Now, where am I going with this? A bookmark is basically just a hyperlink embedded in a bar in your browser. If you click on the bookmark, it'll bring you to whatever page you bookmarked, just like a link. The catch is, that also means if you put JavaScript in a bookmark, it does the equivalent of putting the JavaScript in your URL bar (There are intentional versions of this, called bookmarklets. They can be useful, though they aren't malicious, they're basically just advanced JavaScript macros). Additionally, the JavaScript in the URL bar can access all of your local client data, due to JavaScript giving any other script running on the page access to the scope. So, how do you protect against this? There are two main options: 1. Don't add/open any bookmarks you didn't create yourself, or you haven't checked over to make sure it's safe. As I've said, not all JavaScript bookmarks are bad, but they often can be, so be cautious and check bookmarks you didn't create. 2. Don't use a Chromium browser. I'm not sure I know of any Chromium-based browsers that aren't vulnerable to this, as they all support running JavaScript in the URL bar for some reason (You shouldn't use Google Chrome anyways (has Google trackers embedded in the browser, terrible performance) or Opera (purchased by a chinese consortium and contains injected spyware), Edge is fine for now). I highly recommend using Firefox as your primary browser, no matter what, as it's more performant that Chromium, blocks these sorts of attacks, prevents trackers from following you on the web, and doesn't track you itself. You'll be much safer on the web using it. Edit: Oh yeah, forgot to mention, these attacks can also be injected in hyperlinks or buttons. This is why sites typically don't let you manually create them, and if they do, they filter them. You can set a button's "onclick=" to JavaScript, just like how you would in a browser bar, and you can set a hyperlink's source to JavaScript, and it will do the same. If sites let you create hyperlinks manually, you could quite literally steal people's usernames and passwords with nothing more than a hyperlink.
It's incredibly stupid that JavaScript bookmarks are still a thing. They're pretty much completely obsoleted by extensions and pose a huge security risk.
I use JavaScript bookmarks for automation tasks, but then again I'm a nerd who uses JavaScript for automation... Just like every tool, they have a use, and just like sledgehammers they can be misused to devastating effect.
I didn't go through with it, but I searched for the suspiciously dangerous "verification" method from the supposed MEE6 bot and found it described here on your video. Thanks. When Discord server admins have their Discord token stolen it's "hell to pay" in their community as admins get kicked from their own server!
Being a verified bot developer i know for fact that bots cant send messages or make you join servers! Dont click on sussy links (make sure the dashboard links do belong to the bot , the domain of the url should be accessible by some command) Thats it.
I thought dyno is a very safe bot so i press into the link and do everything it ask. Thanks for posting this video to let me know that its a scam. I've always wondering why there is new server when I turn on my laptop.
thank you for covering this, its been happening to me, i turn on my phone and im in a rando server ive never heard of, but i didnt do the bookmark thing, but thanks to you, i fixed it
@@chri-k normally my school wouldn't allow my chromebook to use the inspect element. By using a bookmarklet I could use it and return the output using an alert.
It does! I have a few bookmarklets for things like special static URLs (such as Wikipedia's /wiki/Special:Random), utility functions (such as evaluating code quickly/on mobile, bypassing some adblockers, or loading an external script), etc.
not only chrome, any browser can run Javascript from a bookmark. Mozilla has a whole guide on how to use them. It’s a unique way to replicate extensions without having to publish your extension to the web
Discord needs to fix these scam issues one way or another. If they don't do it soon I don't see it going well for Discord in the future. or alternatively, people can just use their brains :P
I'm amazed and baffled that are a feature in . Does anyone use them legitimately any more? But to answer your question, yes, they do see use from time to time. If we removed every feature just because a scammer used it at some point, we'd stop using computers and mobile devices altogether and be left with old analog TV sets. Oh, wait, those are used for scams, too, only they call them "advertisements".
Pro tip: if you ever see an obfuscated script, don't run it. The only reasons for code to be obfuscated are: a) "Security through obscurity" which is a joke, or b) to hide malicious code.
since we now see the URL its posting to, lets make a small little script that spams the site with fake tokens >:) edit: tho it may have some authentication system in the background that verifies if tokens are real or not, which would make the spam useless i guess..
I figured it out! they used some really stupid way to hide their key (lmao), their key is "fortniteamongustycoonlol" and I bet you can just spam it with requests EDIT: I don't know if they are checking to see if the keys are valid, but that doesn't matter if you have thousands and thousands and thousands of keys to check. sure, you can weed out all the fake tokens, but that takes a very long time. especially when there's so many "totally legit" keys.
So what you're saying is that if we see one of those in the wild we just copy the link from the script and spam their API with a bunch of random bullcrap? Gotcha!
hey you were right about the authorization part the only thing is they can also add some weird things which basically access your ip and sell that stuff because that all can be accessed through the console too and other stuff. surely not written by an java coder.
nobody is gonna sell your ip. it's not a 100% accurate indicator of location and it gets changed periodically by your isp. also your ip is given out to literally every single website you visit so it's not hard to get either
@@dylon4906 That is not entirely 100% true. Your IP is basically your web address and it doesn't always change. For example, I'm still living with my parents right now, and they don't pay for a static public IP address, yet the public IP address hasn't changed in years. Not to mention that the only time it did change was with a new router on a new package with a whole new configuration. Unless your ISP is different, IPs are still a great resource to track people across websites and harvest data for purposes such as advertising and identity building. Your IP is not always geographically accurate, but it's also generally pretty easy to decipher what ISP is providing your service, and with a little social-engineering or backdoor services, you can find out exactly where somebody lives. It's less common nowadays, but this was a bigger problem 10 years ago.
i would have never for the life of me thought you can run js code just in your bookmark, lmao! imo every web browser need to either run a check on the js script before putting it into the bookmark, or just straight up disable the feature. these scams man, they're getting quite wack
Damn, these scams are getting so obvious i can't even make a legit Wick verification system because people are leaving because they think it's a scam on first sight, now Dyno too?
those x blocks are characters like "f" or any unicode character, but its a link that a computer use to get a character from it's memory instead of displaying. Mostly used for unicode characters that aren't on a keyboard.
I had my account stolen recently due to token theft. Was locked out of my account within 2 seconds of running the fake game. I was really dumb that day, but discord’s security is a joke. It should NOT be that easy to steal accounts
the real problem is that you can get lock someone out of an account without proving identity. The session token stealing will be possible for as long as session tokens exist, but tokens are the best way to handle accounts to this date, and they are secure as long as the user does not let them get stolen. but a token should not count as enough to something like that, and discord does not implement basic verification systems like “if the same token just came from opposite sides of the planet, it’s probably compromised”
is no one going to talk about how that one notepad++ page he has open says "hi what is up guys today we will be making a tutorial on how to talk to girls"
I think it's using a thing called JSFuck, its a version of javascript translated to the 'brainfuck' coding language (thats what all those []{}()!'s are)
no, JSFuck is regular JavaScript but you abuse type nonsense and class nonsense to make it extremely unreadable, and it ends up looking like brainfuck as a side effect
![🎤 จับฉลากร้องเพลง x P’ #XXSIVK [EP.1] (2/2) เพื่อนจับได้คำไหน..ต้องร้องคำนั้น เริ่ม! 💓🎶 #MXFRUIT](http://i.ytimg.com/vi/1bJvMJXmeS4/mqdefault.jpg)
IF YOU GOT SCAMMED BY THIS, PLEASE READ ME :)
1. Before changing your password, delete the scam bookmark.
2. Then once you do that, change your password.
Best one.
@@elderlean7876 Changing password means changing the account token code
3. Remember 1 and 2.
Change your password first.
Use a js decompiler
I'm honestly surprised that people are managing to do this. Most people that try to verify in a server can't even follow instructions to verify by clicking an emoji or copy paste a certain command
i swear everyone in the server could change their name to READ PINS and you would still get people who dont know what to do
Welcome to Discord
ikr? On my MC server, people kept struggling with the verification/discord linking. it literally says in-game "click *here* to get your code" (here being red and underlined), it's written into your chat to copy paste into Discord. nope, too difficult. some people are dumb.
@@itsTyrion frrr
YES
Discord has become such a mess with those scam issues man..
Literally every single large platform has, TH-cam, Twitter and Instagram all have so many scams. On TH-cam i think it's the worst
Because their employees are entirely incompetent. Discord support is almost non existant, and when you do get a reply it's some half assed copy pasted crap.
@@stars227 then be on alert and don't click on random links.. discord can't do anything if you are the dumb person
@@stars227 Yep, exactly. And the only features they work on are the ones people aren't asking for.
I had full access to my account, but needed them to change my email address because it was no longer accessible, and they told me to create a new Discord account. Their support is useless.
I dont know what discord employees you guys are emailing, but back when i got hacked they replied back in two days and disabled the 2-factor authentication the hacker set up on both of my accounts (yes i got hacked on 2 accounts. Im a bit stupid)
anyone remember that time where bots would DM people invite links to 'weird' servers? I found it really creepy when it happened to me.
same, one day it even sent me a jumpscare with a scam link
happens daily
@@retroaspectgaming you don't really need to be a programmer to know how to change passwords lol
had one, it was a weird server and jumpscared me and hacked my server, stole my token and lost my 1 year nitro
@@retroaspectgaming coder? thats not the correct word
Its hilarious when you realize how far people go just to get your information
This is just basic phising wym
@@groove7854 maybe basic for you , not for people who don't know what the bookmark can do with them especially for older people or kids
@@darklviper3179 Still basic, wdym... If people fall for it, then they maybe should stop using the internet...
Also of note: _Reauthorise YAGPDB if you have it..._ it doesn't actually make use of the *Join Servers for you* permission, and it's been removed from its default scope for a while now... 😅
thanak you, underrated cfomment
thvenj yuo so muhc
thksnkd you smchu br sti oggmegltgu
bro if it doesn’t actually use the scope where the issue?
@@vedamaharaj hmm thats weird thism an caln spell
Lmao the "wrong tab" was some outta nowhere humor I wasn't expecting
HAHA love your "wrong tab". Thanks for the laugh. Also thanks for making people aware of scams.
@DDD9216A HAHA! I didn't notice because I skimmed the video. Now I see it. Have a good day!
I deobfed and reverse-engineered the script, and here's what I found:
- The JSFuck portion of the code evaluates to "fortniteamongustycoonlol" (from a base-64 decode.)
- The RE protection is more clever than one might think; the globals array is mutated until a specific alignment is reached.
- The script registers its own module into Discord to access other modules.
- The script can detect said module if the code has already been run.
- jesus fuck it was annoying to reverse-engineer
very interesting, thanks Patrik Käpyaho
thanks Patrik Käpyaho for this information
Fortnite among us tycoon
what is "Re protection"
@@firstsurname8931 protection against (r)everse (e)ngineering
That "Wrong tab" part killed me bro 🤣
can you teach us how to talk to girls though, its gonna be your biggest video yet
They really used JSFuck to obfuscate the code xD
So basically. A basic feature on most browser rats them out? That's kinda cool. Imagine being a hacker/scammer and you got ratted out by a simple function like hovering over a bookmark.
4:35 yes it is possible actually, honestly it's very likely to happen considering fact you won't even realize what thing added you to some weird server
BUT that's very much all they can do by authorizing you to their app (again, only by authorizing you, of course they can do everything when they have your token)
Discord seriously need to up their security and scrap account tokens altogether
tokens are kinda the only good option though, sure you could store an encrypted email and password but there's not much of a difference
I think the tokens are fine, but only if they are wholly unique per device. If the same token shows up on two devices, the system should immediately deauthorize it.
@@ZeldagigafanMatthew NO. I use Discord on multiple devices and it would be a huge problem for me to log in everytime.
I think tokens are like session id's, It needs tokens because else it doesn't know what user you are currently logged in.
@@mallusrgreat thats not what they mean its per device so each device has a different token and if one is stolen off one device you would then have to relog in because the token was stolen on that device.
I think they WOULD want your account. Seems like you have so very valuable information on how to get a girlfriend. Those scammers will need it to actually get a girlfriend.
LOL
one of the best comments I've seen
I gotta send this to my friends, thanks for letting this be known!
This scam exploits the fact that if you put "javascript: (code here)" into a URL bar in a browser, it executes the code on the current website.
You can try it here on TH-cam, actually! Try copying: "javascript: alert('Hello, World')" into your browser bar (without the double quotes). It'll create an alert popup.
Now, where am I going with this? A bookmark is basically just a hyperlink embedded in a bar in your browser. If you click on the bookmark, it'll bring you to whatever page you bookmarked, just like a link. The catch is, that also means if you put JavaScript in a bookmark, it does the equivalent of putting the JavaScript in your URL bar (There are intentional versions of this, called bookmarklets. They can be useful, though they aren't malicious, they're basically just advanced JavaScript macros). Additionally, the JavaScript in the URL bar can access all of your local client data, due to JavaScript giving any other script running on the page access to the scope.
So, how do you protect against this? There are two main options:
1. Don't add/open any bookmarks you didn't create yourself, or you haven't checked over to make sure it's safe. As I've said, not all JavaScript bookmarks are bad, but they often can be, so be cautious and check bookmarks you didn't create.
2. Don't use a Chromium browser. I'm not sure I know of any Chromium-based browsers that aren't vulnerable to this, as they all support running JavaScript in the URL bar for some reason (You shouldn't use Google Chrome anyways (has Google trackers embedded in the browser, terrible performance) or Opera (purchased by a chinese consortium and contains injected spyware), Edge is fine for now).
I highly recommend using Firefox as your primary browser, no matter what, as it's more performant that Chromium, blocks these sorts of attacks, prevents trackers from following you on the web, and doesn't track you itself. You'll be much safer on the web using it.
Edit:
Oh yeah, forgot to mention, these attacks can also be injected in hyperlinks or buttons. This is why sites typically don't let you manually create them, and if they do, they filter them. You can set a button's "onclick=" to JavaScript, just like how you would in a browser bar, and you can set a hyperlink's source to JavaScript, and it will do the same. If sites let you create hyperlinks manually, you could quite literally steal people's usernames and passwords with nothing more than a hyperlink.
It's incredibly stupid that JavaScript bookmarks are still a thing. They're pretty much completely obsoleted by extensions and pose a huge security risk.
@@kxi remove them entirely
I didn't even know that they existed
@@kxi not discord, your internet browser
I use JavaScript bookmarks for automation tasks, but then again I'm a nerd who uses JavaScript for automation... Just like every tool, they have a use, and just like sledgehammers they can be misused to devastating effect.
I use them, but browsers should really have an option to disable or enable JavaScript bookmarklets, and it should be disabled by default.
Another thing you should do if you get hacked is to check your Devices settings menu and delete everything.
I didn't go through with it, but I searched for the suspiciously dangerous "verification" method from the supposed MEE6 bot and found it described here on your video. Thanks. When Discord server admins have their Discord token stolen it's "hell to pay" in their community as admins get kicked from their own server!
Sometimes secrets are kept by projects on Discord in "private" channels, that can be exposed if an admin has their Discord token "hacked"!
bro, im actually impressed by people making these scams, like they are using such crazy but simple methods to scam you really legitimately.
Being a verified bot developer i know for fact that bots cant send messages or make you join servers!
Dont click on sussy links (make sure the dashboard links do belong to the bot , the domain of the url should be accessible by some command)
Thats it.
yea using bookmarklets to inject JS into the console is a pretty smart tactic for people who are not tech-inclined...
That "How to get a girlfriend" tab got me hard 😭
"how to get a girlfriend"
“How to get a girlfriend” made me laugh so hard
“What to do if you fell for this Sam” lol😂
I thought dyno is a very safe bot so i press into the link and do everything it ask. Thanks for posting this video to let me know that its a scam. I've always wondering why there is new server when I turn on my laptop.
This guy is the best on 2022 who make legit make sense and good discord video keep the good work, best wishes.
Thank you! Shared it already with my members :D
how much you wanna bet NTTS cleared all the sussy bookmarks for this video
If people are dumb enough to let this happen to them in 2022, they deserve having their account compromised.
“how to get a girlfriend” “wrong- wrong tab”
💀
To add on that he wrote a script so that you can talk to girls
scam website: to enable your bookmark bar press (CTRL+SHIFT+B)
me enters this website on phone: how?
One of the sections has a mistype in it. It says ‘sam’ instead of ‘scam’
CRYSTAL AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
thank you for covering this, its been happening to me, i turn on my phone and im in a rando server ive never heard of, but i didnt do the bookmark thing, but thanks to you, i fixed it
Even though it is for bad use, this method of gaining your Discord Token is actually impressive - can't believe this could exist.
These executable bookmarks are called bookmarklets. It can also have some helpful uses and can bypass your school admin 0-0
what do you mean by “bypass your school admin”
@@chri-k normally my school wouldn't allow my chromebook to use the inspect element. By using a bookmarklet I could use it and return the output using an alert.
@@Scott170c why in the world did they block the developer tools
the fact that people actually believe a BOOKMARK is a legit way to verify.
why does chrome have the feature to run javascript from a bookmark? seems dangerous to tech-illterate people, does it have any actual use cases?
It does! I have a few bookmarklets for things like special static URLs (such as Wikipedia's /wiki/Special:Random), utility functions (such as evaluating code quickly/on mobile, bypassing some adblockers, or loading an external script), etc.
not only chrome, any browser can run Javascript from a bookmark. Mozilla has a whole guide on how to use them. It’s a unique way to replicate extensions without having to publish your extension to the web
Discord needs to fix these scam issues one way or another. If they don't do it soon I don't see it going well for Discord in the future.
or alternatively, people can just use their brains :P
And move to Guilded, probably
@@realgrenja "move to guilded" isnt a problem solver as they could just make it work on both apps
guess we are all moving to matrix then
@@amongsussyballs We are already in one, we don't need another /s
I remember this from "how to get your discord token in mobile" is basically the same bookmark scam
We're all talking about that, but what's more dangerous is trying to find a girlfriend on google.
Running JS through bookmarks is such a novel idea holy fuck
They are using as Mee6 now too... running a different code not sure what is does, but it runs as a "javascript:fetch(atob...
"
The only time i were scammed was when i got five euros and my mom told me she'd keep it safe in her wallet...
And then she goes off to buy makeup products
I love how nobody in the comments section mentioned the fact that he searched up "how to get a girlfriend"
I’m amazed and baffled that JS bookmarklets are a feature in browsers. Does anyone use them legitimately any more?
I'm amazed and baffled that are a feature in . Does anyone use them legitimately any more?
But to answer your question, yes, they do see use from time to time. If we removed every feature just because a scammer used it at some point, we'd stop using computers and mobile devices altogether and be left with old analog TV sets. Oh, wait, those are used for scams, too, only they call them "advertisements".
@@RJCUN Damn bro, sorry if they attacked your favourite browser feature D:
@@RJCUN they should be off by default
i use them a lot
I use them a bunch
i love how i had the tf2 scaredy-cat taunt under this lmao
it looks like it was reacting to this
Pro tip: if you ever see an obfuscated script, don't run it. The only reasons for code to be obfuscated are: a) "Security through obscurity" which is a joke, or b) to hide malicious code.
Someone commisioned me to make this for them. The code was fairly simple to make, and it was really easy to understand and learn.
Do you still have the source code?
@@object.toString I do yes
@@JohnSmith-oq7bg please can you make it available?
I remember watching you 2 years ago, then i didn't see you for like 1 year, das crazy
Bro got me sending every link i see to my FBI agent for him to see if its good or not
“The first step to getting a girlfriend is stop trying” ☠️☠️☠️☠️☠️☠️☠️
As soon as it said to bookmark the code I knew what was going to happen
the "How to get a Girlfriend" killed me 💀
also i just noticed the notepad++ tab 💀
time for some trolling (spamming the api)
We do a little trolling, that jsfuck is nothing lmao
still knew about this method and did a warning on our discord about it but thx a lot for that video :) u explained it rly good
I'm willing to bet the people disliking this video are the same people that are stealing account tokens 💀
all the serious things aside
"how to get a girlfriend"
oooh, this is a new type of scam, they always find ways to get people into scams. How creative are these people
could someone constantly run the js script through the bookmark and constantly send them useless garbage?
Yes!
since we now see the URL its posting to, lets make a small little script that spams the site with fake tokens >:)
edit: tho it may have some authentication system in the background that verifies if tokens are real or not, which would make the spam useless i guess..
I figured it out! they used some really stupid way to hide their key (lmao), their key is "fortniteamongustycoonlol" and I bet you can just spam it with requests
EDIT: I don't know if they are checking to see if the keys are valid, but that doesn't matter if you have thousands and thousands and thousands of keys to check. sure, you can weed out all the fake tokens, but that takes a very long time. especially when there's so many "totally legit" keys.
@@AveryChow You could also make a alt and spam the website with the token of your alt
Pseudo-valid (i.e. valid to the format but not based on real data) tokens can be generated randomly
not the "How to get a girlfriend" tab lol
I can't believe Sam fell for this scam... Hope his account is ok.
5:05
my friend got scammed by this :(
So what you're saying is that if we see one of those in the wild we just copy the link from the script and spam their API with a bunch of random bullcrap?
Gotcha!
The kiss in the end hit different
Who else is thinking about spamming that "token logging" website with random trash, like random gibberish strings that look like keys but aren't? 😏
2:03 holy shit I didn't expect that! XDD you're a genius :'))
Is it just me laughing at the fact that he has a tab opened in the browser called “how to get a girlfriend”?
That tab bro💀💀💀
I'm 99% sure all verification methods that aren't "click emoji" or "send message" are scam.
Bruh, I just love the people in the comments who have no idea how authentication works but still say stupid crap about auth tokens ☠
hey you were right about the authorization part the only thing is they can also add some weird things which basically access your ip and sell that stuff because that all can be accessed through the console too and other stuff.
surely not written by an java coder.
nobody is gonna sell your ip. it's not a 100% accurate indicator of location and it gets changed periodically by your isp. also your ip is given out to literally every single website you visit so it's not hard to get either
@@dylon4906 That is not entirely 100% true. Your IP is basically your web address and it doesn't always change. For example, I'm still living with my parents right now, and they don't pay for a static public IP address, yet the public IP address hasn't changed in years. Not to mention that the only time it did change was with a new router on a new package with a whole new configuration. Unless your ISP is different, IPs are still a great resource to track people across websites and harvest data for purposes such as advertising and identity building. Your IP is not always geographically accurate, but it's also generally pretty easy to decipher what ISP is providing your service, and with a little social-engineering or backdoor services, you can find out exactly where somebody lives. It's less common nowadays, but this was a bigger problem 10 years ago.
java is not javascript? XDDDDDDDDDDDDDDDDDDDDDDDDD
don't worry Heroku is disrupting all bots by the end of october, no more dynos for scripts and cloud apps
its still a JSbookmark exploit, if anything we need to notify google/other web browsers so this cant be exploited but still usable
No more dynos for my clock server either. Luckily it isn't really needed anymore though.
i would have never for the life of me thought you can run js code just in your bookmark, lmao! imo every web browser need to either run a check on the js script before putting it into the bookmark, or just straight up disable the feature. these scams man, they're getting quite wack
They grab ur discord account for a certain server your in, they dont give a shit for ur account once you post a singular msg in a server ur in.
I remember this exact same scam was being used on another site, crazy how it's spreading
The thing is: one of my friends can code and made an exploit for this bookmark thing, it can do many more harmful things than just getting your token
Damn, bro. Guess they gotta watch out
This is exactly why I like Notepad++. And I really appreciate that my Computer teacher made us download it.
Oh, bookmarklet stuff. I thought this died back in 2017.
I somehow learned something new
I didn't know you could book Javascript Code
Damn, these scams are getting so obvious i can't even make a legit Wick verification system because people are leaving because they think it's a scam on first sight, now Dyno too?
Rule of thumb, any verification that goes out to another site is a scam until proven otherwise.
I love how this guy has easter eggs!
the notepad said a tutorial for talking to girls
the search bar has how to get a girlfriend
lovely!
wow
I had no clue that bookmarks Js was a thing.
I don't see any legitimate usage for this function
Of course a technology as old as bookmarklets can only now be used in malware...
I showed the joke to my bro, and then I remembered he has a gf now...
those x blocks are characters like "f" or any unicode character, but its a link that a computer use to get a character from it's memory instead of displaying. Mostly used for unicode characters that aren't on a keyboard.
How do you get those beautiful folders?
as a person that uses too much internet
xyz is the cheapest domain so
if you didn't know that
I had my account stolen recently due to token theft. Was locked out of my account within 2 seconds of running the fake game. I was really dumb that day, but discord’s security is a joke. It should NOT be that easy to steal accounts
the real problem is that you can get lock someone out of an account without proving identity. The session token stealing will be possible for as long as session tokens exist, but tokens are the best way to handle accounts to this date, and they are secure as long as the user does not let them get stolen.
but a token should not count as enough to something like that, and discord does not implement basic verification systems like “if the same token just came from opposite sides of the planet, it’s probably compromised”
2:16 check left corner💀💀
is no one going to talk about how that one notepad++ page he has open says "hi what is up guys today we will be making a tutorial on how to talk to girls"
is anyone gonna talk about his "wrong tab"
I think it's using a thing called JSFuck, its a version of javascript translated to the 'brainfuck' coding language (thats what all those []{}()!'s are)
no, JSFuck is regular JavaScript but you abuse type nonsense and class nonsense to make it extremely unreadable, and it ends up looking like brainfuck as a side effect
This is starting to get out of hand
kde background on windows is just cursed ngl
i found out the link that it sends the discord token to so i sent it like 21 thousand fake tokens, i hope that helped
2:27 ayo "how to get a girlfriend" in his tabs?