1. Do not harass the bot developer. Yes, he didn't say thank you, but he did fix the issue quickly. Harassing someone because of poor manners aint the move. 2. The vulnerability is patched, please stop asking me how to hack into captcha.bot. I will never make a video on a live vulnerability because some of you are rascals. and finally, I was told that people are asking other bot devs if their bot is safe and linking this video. That is perfect, that's the goal of these videos. Whether it's a one man team or a big company, people will exploit discord bots and use it to ruin people's communities or scam a bunch of people. And everyone getting a little scared of eva, and double checking the security of their bots, is going to make the community a better place. (Even if it means I have to burn my bridges with bot devs that disagree).

@NeedForSpeedRTX

6 ай бұрын

Oh

@RoyaleWind

6 ай бұрын

i hope he learned now atleast to not hardcode his id and to write a good api (there a propably still allot of vulnerabilities)

@iwasneverjoebiden

6 ай бұрын

that's reasonable

@7heMech

6 ай бұрын

Well, the video could still be a clue to another exploit, if such a dumb loophole existed, there are likely many more.

@bnanik

6 ай бұрын

yes

this guy needs a lesson on how to properly protect his API endpoints... hilarious

@Neninho_

6 ай бұрын

What do you mean? Checking the locally cached ID in the frontend with no proper backend verification is totally enough. /s

@masterman1502

6 ай бұрын

Their sourcemaps are still public, btw (the "Webpack" folder). Either theirs, or their payment/subscription processor

@giorgiotr

6 ай бұрын

dark is an idiot

@TheRealKiRBEY

6 ай бұрын

As a non coder whats an API?😊

@itznerdyfox7479

6 ай бұрын

​@@TheRealKiRBEYme work wit someone else's application via my own code

How are these bots so hilariously insecure? The fact everything could not only be done so easily but also all within the browser's DEVELOPER TOOLS is a huge problem.

@IanGaming101HD

6 ай бұрын

@@VaultCord its the person who created the bot's fault, the website made for his bot has lots of vulnerabilties.

@bablela26

6 ай бұрын

I finally understood why dumbasses politicians wanted at one point to block the inspect page... Wait, no they just are incredibly dumb and if they catch a glimpse of dev tools they will completely loose their mind lmao

@nocturnaldev8607

6 ай бұрын

​@@VaultCordthey do, if only you cared to read the terms of service instead of blaming them for every goddamn thing

@Minecon724

6 ай бұрын

well you don't need any proven skills or any signed legal things to create a bot

@wiirlak8681

6 ай бұрын

@@VaultCordIt's the law to disclose data breah, bots' owner not following it (or the ToS) is not Discord fault - but Discord is at fault for not going after them after that through.

Having this little protection is shameful. There is a complete lack of basic security measures...

@toydotgame

6 ай бұрын

im literally not a web dev and seeing that js auth code immediately set off alarms

@kibbewater

6 ай бұрын

​@@toydotgame so if you are not a web dev, don't comment on the matter, authorization headers are completely fine and pretty standard for many applications

@Omega-mr1jg

6 ай бұрын

​@@kibbewaterwhat. for an app like this? Okay

@bennybouken

6 ай бұрын

​@@kibbewater💀

@kibbewater

6 ай бұрын

@@Omega-mr1jg The Auth headers were not the problem, lack of handling them correctly was.

As a Cybersecurity Student, that was the shitiest security that I have ever seen in my whole life 💀

@turtleparty7241

6 ай бұрын

that means you haven't been in cybersecurity for very long (no offense)

@distorted_heavy

6 ай бұрын

@@turtleparty7241 bro doesn't know how school works

@reki9726

6 ай бұрын

@@turtleparty7241 A year and learning (yes, its not too long imo, doing hackthebox machines rn)

@danialrafid

6 ай бұрын

​@@turtleparty7241 He said he was a student 🤨

@Goovdluck687

5 ай бұрын

​@@turtleparty7241 so someone can easily hack into a bot by using F1 and it's not the shitiest security?

All those recent exploits discovered in bots is why I keep stressing to people to properly setup their servers and not blindly give bots permissions they don't need. Thank you for bringing light to these exploits, hopefully this pushes people to stop blindly trusting bots and for devs to be more careful with security

@justind4615

6 ай бұрын

ye like who puts checks, security, etc in front-end?

@Liggliluff

6 ай бұрын

I had a server where bots have different functions, but these bots only had access to the channels they should have access to. For example, no access to #general or #moderation.

@kuuravr

6 ай бұрын

​​@@LiggliluffThat's pretty much how I do it, if it doesn't need to view a specific channel then it's restricted from it, if it only needs to read and not talk it won't have send message permission except for logs channels, etc

@ItzPubby

6 ай бұрын

#1 advice i can give. Don't use bots. Bots are fully automated without human input when it comes to authentication. The best security you can do, is have active HUMAN staff members in your servers. I get the appeal for bots, but if you bringing them in from a third party, you are literally relinquishing control to someone you dont know if you can trust or not. Weither if the properly took the percautions. So, set up your discord and manage it yourself.

@kuuravr

6 ай бұрын

​@@ItzPubby I wouldn't say that's a good advice, bots are helpful when used right especially when you have a large server or want to setup something specific, the issue is people are too lazy to set up bot properly and just gives it admin so it does its job, they don't organize their server roles properly, they don't disable bot features they don't need and don't restrict the bot accesses to what it doesn't need, they don't know how to look for the signs that a bot isn't made properly (such as its invite auth link requesting admin perms in any capacity). Sure if you're running a small server you probably don't need a bot, but they're a good tool and people needs to know better when using said tool.

As a full-stack developer I can confirm that this is so amateur and unprofessional, no-one should trust a single product from this developer EVER. Remove captcha bot from your servers rn.

@justind4615

6 ай бұрын

hecker

@Dultus

6 ай бұрын

That's what happens when you just throw everything to the front end. x)

@Lampe2020

6 ай бұрын

Verification etc. should be done on the backend and be a little more secure than just sending _any_ auth header. It should verify the auth header that it's actually the owner and probably a lot more. I even have such a login on my website, but you need the right password and username to get logged in and _then_ it just sees "Logged in? Okay, here's your perms!", because I am the only user account there. And eventually I'll replace that with a third-party OAuth login instead of an own one.

@tabletopjam4894

6 ай бұрын

this is what happens when someone spends too much time in js land lol

@WindowsDaily

6 ай бұрын

I can't even tell how it'd make it any easier. They clearly know the account to give the server to, so all they have to do is put the if (user is not me) check in there. Sure it can be put in the client side too, but just one line in the server side would have been enough to stop it.

Absolutely disgusting move by the bot owner.

@zikohaha7440

6 ай бұрын

Shut UP !!!!!!!! 😍😍😍😍🥰🤩🤩🤩

@Craosien

6 ай бұрын

​@@zikohaha7440npc

@BroggoYT

6 ай бұрын

@@zikohaha7440 you shut up

@redixroblox.

6 ай бұрын

@@zikohaha7440 no

@user-rf1fi4uw1k

6 ай бұрын

Thats messed up

As someone who has dabbled with a bit of bot development here and there on Discord, I have seen so many examples of other developers who think they're too good and too big to acknowledge other people around them - especially when it's criticism or feedback. Not surprised at all that Dark ignored your DM and I can guarantee that had you sent it from your NTTS account he 100% only then would've bothered replying.

xyzeva causally finding vulnerability in security bots 💀

@chevvvv

6 ай бұрын

sometimes I want people like that to point what's wrong with my stuff out, just to make them a little bit better

@fuyuv_

6 ай бұрын

@@chevvvv thats what beta releases, etc. are for

@Buttersaemmel

6 ай бұрын

@@chevvvv and then there are those companies that sue you for letting them know, even if you just accidentially stumbled upon it...

@unearthlynarratives_

6 ай бұрын

It's a very amateur mistake so I wouldn't credit too much here, this should have never worked had this been done by someone with more than 1 year of experience.

@schrenjaminsstift92

6 ай бұрын

​@@unearthlynarratives_even somelne with 1 month of wxperience shoudn't make this mistake. As soon as you know that anyone can send stuff to your server, you should see how this is shitty security

I'm not surprised that Dark was unresponsive after you basically saved his bot from destruction and chaos. Every interaction I've had with him (through the Arcane server), he has been cold and narcissistic. I don't know if that's how he actually is IRL, or if he gets a lot of messages per day and can't keep up with them, but he does not seem like a very good person in my opinion. I am glad that he fixed this huge vulnerability, and I can pretty much guarantee that any mention of this in any of the servers he owns will be met with a timeout or something of that sort. I mentioned the word "bot" in the Arcane server and got muted for 5 minutes for "advertising" as he told me.

@verytuffcat

6 ай бұрын

almost every large bot dev is narcissistic tbh

@Gandalf_Potter00

6 ай бұрын

@@verytuffcat Dark is the only bot developer I have ever directly interacted with, so I can't speak much on that, but I wouldn't be surprised if the reason they seem cold is because they just get an onslaught of friend requests and DM requests. I would imagine it would be stressful to have to deal with all of that. I'm not excusing Dark's actions as he could have at least said thank you, but there might be multiple reasons why he didn't respond other than he's a duchebag. I still think he could be nicer though.

@radiatedcherry

6 ай бұрын

its very easy to turn off those friend request and dms stuff its just their incompetance@@Gandalf_Potter00

@IceBoltGamingIBG

6 ай бұрын

⁠@@Gandalf_Potter00influencers and developers get insane dms and friend requests all the time lol, but not all of them are narcissistic. these type of people are just inherently like that, and the fame is just feeding it

@verytuffcat

6 ай бұрын

@@Gandalf_Potter00 yeah

"am be so so wuh a bo" such wise words from the owner...

@Mightype

6 ай бұрын

It’s something about the word sussy Baka but in reverse

@mohabtameregyptgamer8902

6 ай бұрын

I reversed it and it said amongus sussy baka not kidding reverse the video and you can hear it too

@SleepyMan874

6 ай бұрын

@@Mightypehe said “among us Sussy balls” Lmaooooo 💀💀💀

@BlueYT592

6 ай бұрын

Whice goat will be the next to be my subcriber🤔

@shrimpaerospace

5 ай бұрын

@@BlueYT592 Well i'm not a goat. Maybe the next guy

these recent vulnerability videos have really given me insight on how even the biggest bots can be taken advantage of

@erikkonstas

6 ай бұрын

LOL forget about bots, or even Discord, try to search how many vulnerabilities people have discovered in the major cloud computing providers (AWS, Azure, etc.).

@ItzPubby

6 ай бұрын

Take active steps to protect yourself, you cant let other people do it for you. If you want the server safe and to have these types of security you need to go through and do it properly. the best thing you can do, is be as secure as you can from your end.

@erikkonstas

6 ай бұрын

@@ItzPubby Do you know what you're saying... thing is, bots like Captcha bot have already constructed databases which can help find alts; this is not something you can just "acquire".

@verytuffcat

6 ай бұрын

​@@erikkonstasi honestly wonder how it works tho. can you explain

@erikkonstas

6 ай бұрын

@@verytuffcat So basically the thing stores a number of IP addresses and other characteristics pertaining to a number of "devices" for every Discord account that goes through it, so if another account shares anything in common it is considered to be a possible alt. Yes, it can have false negatives (e.g. the person changes their public IP address) and false positives (e.g. the person is on a public Wi-Fi).

We would be doomed if NTTS started his villain arc.

@YeetDisDude

6 ай бұрын

too bad he cant cause all he knows is how to get spoonfed by women

@norwegiansmores811

6 ай бұрын

yes. and it does not help that he gets treated like shit (ignored) when helping people.

@Black_kot_original

5 ай бұрын

he's gonna start it someday, if he gonna keep being treated like shit

@user-qd6ps7dg7u

Ай бұрын

Xyzeva is gonna be his side kick for sure

@K0ra_st4r

29 күн бұрын

he would be the one who ruins every discord sever ever

I don't think I could've resisted the intrusive thoughts tbh. Good on you, dude lol.

@identifydelaymc3873

6 ай бұрын

xyzeva is a developer on a server Im an admin on lmao

@liquidmagma0

6 ай бұрын

i mean you could have harmless fun, right? don't have to go destructive.

@erikkonstas

6 ай бұрын

It's people like you who are the reason why problems are only made public after they're fixed...

@ectothermic

6 ай бұрын

@@erikkonstas it's a joke not a dick, don't take it so hard.

@erikkonstas

6 ай бұрын

@@ectothermic Literally nobody thinks you're joking tho.

okay so heres the thing, firstly a super big thank you for makeing those videos secondly i get that the dev might have had a bigger thing to work on than responding to you when they first saw it and im happy they did fix it so fast but a "hey we fixed it thanks for saveing our butt here" wouldve been nice

Some servers really are set up horribly, one time, I saw a server where for some reason the owner role, with all perms, was under the member role, which everyone has, and also has perms to manage roles, so if literally anyone looked at the roles, which the member role also has perms for, they could've easily just given themselves owner and destroyed the entire server before the real owner got on.

Once again, thank you for keeping us safe on Discord, NTTS! Shame Discord don't have an employee to do this.

@HeadlessStar

6 ай бұрын

npc

@ashmaniacal

6 ай бұрын

You're an Npc @@HeadlessStar 😂😝

@SilenceBot

6 ай бұрын

​@@HeadlessStaryou have become the very thing you have set out to destroy!!

@HeadlessStar

6 ай бұрын

npc activity@@SilenceBot

@ZickZenniYT

6 ай бұрын

@@HeadlessStar *bot activity

Eva and no text to speech are really helping people on this. the hero's we need.

You can always go the middle route: Sell the vulnerabilty but also tell the owner about it

@seawinn

6 ай бұрын

that's big brain time

@tyx168

6 ай бұрын

i wouldnt even bother telling him about this, i would just look how his bot gets destroyed. he's such a looser for not even answering

@wanderingpalace

6 ай бұрын

just sell the vulnerability to him for 1000 dollars

This is the reason I like to troll the help pages on Dark's Discord server. It makes him waste his time on stupid things that takes his precious time off. I feel no remorse for Dark whatsoever

@epicstar86

6 ай бұрын

Big W

@billyhatcher643

6 ай бұрын

Glad I never heard of this dumbass bot

@_tr11

6 ай бұрын

lol

@leckerp

6 ай бұрын

Did he just hack it for fun?

@KaiDevvy

6 ай бұрын

Am I misunderstanding? All the dude did was not reply to him. Why harass him?

A hacking tutorial 💀

@Serious_noob-1

Ай бұрын

True💀

@UrMom8MyAss

28 күн бұрын

Fr 💀

@_DarkPlays

26 күн бұрын

Not really since the video was uploaded after it was patched

To be ethical or not to be. As soon as you have a good intention, you literally get shit on by life. Honestly, you shouldn't have given away the exploit without getting a response from him, or a bug-finding contract. This kind of vulnerability should have been rewarded. If I made a bot and such a vulnerability was discovered, not only would I thank the user who found it and didn't abuse it, but I'd also try to pay for it or give away premium benefits. What a rat. Translated because i'm not ca or us, just a baguette.

@nwerd7584

6 ай бұрын

I think NTTS makes a good amount of video legally through YT. Probably why he leaves this stuff for other people to make the choice. But not responding doesn't sound like they tend to pay bug bounties. a good team would have probably offered it.

@Buttersaemmel

6 ай бұрын

even ignoring ethics this is just stupid. if you know you get paid out and don't need to fear legal actions if you point out vulnerabilities, you'll probably do it. but if you know you will just be ignored but could instead exploit it to make some money, a lot of people wont care about ethics and decide to exploit. it's just proof for anybody that you'll gain much more from exploiting his products. that's just stupid and for all of his customers you can just hope that no bad actor is going to find something.

@delicious_orange013lol6

6 ай бұрын

P sure the owner doesn't care to fix it and knowingly just lets that be possible

@parapetcloud

6 ай бұрын

​@@delicious_orange013lol6it's best not to attribute to malice, that which can reasonably be attributed to being a complete dumbass.

@delicious_orange013lol6

6 ай бұрын

@@parapetcloud if he's a dumbass then he'll learn the hard way

That is the most pathetic thing I ever seen, like imagine ghosting the guy that help you find a security problem in your code, like imagine this happened again. I'm sure NTTS knows this abt stuff or he knows someone knows this stuff, imagine being so egoistical and risking ur career

@sal_strazzullo

4 ай бұрын

Can't say for sure he ghosted him, he only gave him one day to reply. When my dms are full it takes me two weeks to read and reply to them on average

NTTS Started his own villain arc confirmed 100%

This escalated so quickly.

@TheFakePlayerGame

6 ай бұрын

he dont understand protection LOL

6 seconds into the video and I have to pause to replay it, I was not prepared for this start.

this is epic, guilded is finally getting the attention is really needs, this is poggers

no announcement could mean some servers don't notice the bot handing out the wrong roles for a little while

im starting to think eva is an AI, they have found ways to do this with so many bots lmao

@cylan6914

6 ай бұрын

Obviously she is, girls are not real

@skylarkblue1

6 ай бұрын

AI's pretty awful at cyber security. No, this is just a decent amount of time having fun pentesting lol

@kacperkonieczny7333

6 ай бұрын

NULL

@user-to7ds6sc3p

6 ай бұрын

She does hobby pentesting according to her homepage. And her git shows activity in regards to malware/pentesting and most importantly silly block game.

@_tr11

6 ай бұрын

@@kacperkonieczny7333 undefined

Seeing this makes me glad that I went through the trouble of attaching this one bots permissions to each relevant Channel instead of giving it the blanket permission.

So now NTTS teamed up with hacker-cat-girl pfp and we're getting more videos like this ? love it

At this point, bad security by discord bot devs doesn't surprise me anymore. The bar to making a bot is so goddamn low that incompetent people make bots that get too popular for their own good.

This escalated quickly.

Security Problems in Discord Bots? You're... the One Legend.

Man, you are a real hero! This made me so proud and insipred. Well done bro.

Can you cover the new mobile layout and how to revert to the old layout? It's absolute ass and makes me happy to be legally blind

@TorutheRedFox

6 ай бұрын

trick is to downgrade to earlier version, disable it there, update back and never update again without confirmation that it still exists

@chaos9790

6 ай бұрын

done

@sal_strazzullo

4 ай бұрын

I like the switching between severs and dms, but I absolutely hate the new search and how I can't just type from:someone without it trying to do some Google type of stuff

This is why I don't trust security bots.

I just finished watching this video, and decided to check a few of the bots I have used on servers I own/co-own, including paid, free, and trial bots. It takes a bit longer than this, but some very popular bots(not gonna name them) have some major issues very similar to this one. I tested a method on a server I am friends with the owner on and managed to(after creating a backup server so people wouldn't lose everything) completely wipe the server in the span of 8 minutes. People really need to hire some kind of white-hat to double check that things aren't as hilariously undefended as this was.

This man is an inspect element wizard, and my role model for inspect element.

This shows us very well how life slaps you across the face for just being nice and the least they could've done is a thank you, but apparently thats too much for some people.

Waiting for NTTS's video on the new discord update with the interface

I LOVE THIS. I can spend hours finding vulnerabilities or bypasses like this :). I wish I could do this as a full time job

I wonder if most bots have this exact issue with a similar result after making it think you're the owner and some devs are just too lazy to patch it if they hear about it.

crazy how this guy doesn't even protect his api endpoints

Welp time to raid some Discord servers. 💀

yup. this is why I always set up bots below mods/andmins and above janitors. bots can only be trusted to delete messages and give roles that have no real perms under them.

The "I'm projecting" at the end killed me 😂

NTTS you giving here a good example of people who doesn't give a shit about safty, you did your thing and i proud of you its his problem

Bro went from making videos about discord news to becoming a hacker, well I wasn’t expecting that

I love this guy teaches about cybersecurity whilst entertaining w

from what i've seen (at least on this channel I don't really use bots in my servers at all, and the bots I do use are like, music bots which only need like 1 permission). Most bot developers don't have experience with an internet facing service. If the debug endpoint is there just for debugging other servers just incase there's an issue, why not just have it to where it can accept any ID and auth token, but on the backend it checks if it's the correct user. The code is right there in the page source, it just checks if the userID is the ID if the owner of capture bot, and just doesn't show it if it's not...the actual call doing the debug mode just does it, no other prior checks beside if the guildID is a valid id. What should've been done is, A. don't hardcode the user ID into the check for the User ID someone could just spoof it by just copying it right there B. do other verification on the actual backend. it could be a whole thing where first it sends the request like it does in the video, but when it gets to the backend it'll check multiple things, the user ID that sent the data, what permissions it has etc etc. verification shouldn't be done on the front end.

0:04 says "Among us sussy ba-"

this makes me glad and sad that I am so neurotic about server setup. If I was a bit stupider I coulda used this to get back into my own server but I'm too reserved about permissions so this would've never worked :sob:

Bro has the power in his own hand and shared it

This is literally like going to someone house, knocking on the door and they ask who are you, you say its "me", the very memorable and handsome guy and they let you in

The amount of trolling that will be done is devastating

@thewitchidolsachika6682

6 ай бұрын

The exploit is fixed. The trolling can only happen if something like this is leaked again.

@Pengal25

6 ай бұрын

@@thewitchidolsachika6682 rules of the universe: 1. Trolling will happen 2. If the trolling is stopped, it can happen again

@nwerd7584

6 ай бұрын

@@thewitchidolsachika6682 in discord the only updates shown in the video is they moved around the roles, theoretically if someones already in they could change it back. Unless NTTS didn't show what was further changed.

don't worry, if he was that careless and clueless about security on that matter, he probably has a lot of other holes to patch

never wished to be a time traveler so badly until now

What plugin do you use to check the permission thing? Better discord or that other one? (i forgot the name of it lmao, forgive me)

I…might have to see if I can hire Eva to do a vulnerability check on a project at some point…

@identifydelaymc3873

6 ай бұрын

she is a developer for a server im an admin on

Disgusting behavior. A ‘thank you’ from his response would’ve really shown that he at least cared a bit. Sometimes it just doesn’t pay to have morals. I would have made an airdrop in an NFT server then have drained their wallets.

some time ago you made a video to make your own music bot, in case you find other "selfmade" bots like a reaction role bot and others it would be great if you could make a video about these or atleast recommend them.

@erikkonstas

6 ай бұрын

LOL, those are way more likely to also not be Emmental cheese... 😂

@Signupking

6 ай бұрын

@@erikkonstas i really dont what you are trying to tell me with this comment

@erikkonstas

6 ай бұрын

@@Signupking That the "small" GitHub projects are much more likely to involve proper practices, because once a project becomes big, the focus changes from proper implementation to profit.

love your vids man

NTTS, idk if you still read comments, but are you aware how discord is forcing mobile users to use new ui To explain, now if you change the ui, you CANNOT change back to old ui (im forever stuck in new ui purgatory. Send Help)

Why does everyone do authentication _client side?!_ Like, seriously, that's the oldest mistake in the book!

When I saw the title, I thought NTTS was going through like a villain arc

This also brings to to the question how many other captcha bots are affected by this same exploit.

@_tr11

6 ай бұрын

it's something very well-known, i think this bot's dev is just dumb

@erikkonstas

6 ай бұрын

I'm sure you can find another one in the channel... 😂

To anyone wondering, similar bots exist on whatsapp too. Those bots have a lot more serious vulnerabilities tho (i.e RCE on host machine).

@_tr11

6 ай бұрын

I use WhatsApp, and I think it doesn't have bots unless you are a business and verify it

@SheIITear

6 ай бұрын

@@_tr11 unofficial libraries exists.

It's pronounced as VIEW NOT VUUUU I'M DYING

imagine what lethal problems this issue could cause 💀

Hey whats the dev tools u used at the start of the video? it looks cool I would like to have it pls

I can't believe the owner said the N word

@MarshawnEmpire

3 ай бұрын

Fr

@MODULER3

Ай бұрын

Normal on Discord

@The300thloser

26 күн бұрын

bruh stop spoiling >:(

As a Developer, hacker, consultant. You would be suprised at how many of these APIs are vulnrable to this exact issue. To many developers think that frontend verification is secure. Completely ignoring anyone could send requests directly to the API. And tbh, 99% of these issues come from Javascript developers. They have no idea about secure backend programming. Discord had the exact same vulnrability in their APIs, last year people discovered a new API for model popups, it was completely undocumented and wasnt supposed to be public, but even discord doesnt put propper authentication on their APIs.

@Sammysapphira

6 ай бұрын

It's certainly a js issue. Tons of js frameworks bake back end into the front end like react and nextjs. There's a level of abstraction that non system engineers can't really understand because they think they're writing back end code but it's actually running on the client. It's like giving them a notepad with all your passwords to everyone who visits your website.

the funny thing is the ad before this video (for me) was the advertise for a discord nuking bot lol

@erikkonstas

6 ай бұрын

And here we, yet again, enter the topic of KZread literally letting anything that smells like money slide...

In my experience, frontend developers don't seem to understand security. I once saw a frontend developer generate jwt tokens on the frontend, which means the secret had to be in the frontend, which means the secret isn't a secret anymore, which means no security. Might as well just create a big button labeled "hack me"

1:52 OMFG He pronounced "Vue" incorrectly, as a web developer I'M OFFENDED 😭😭

@release9025

6 ай бұрын

View

Hi (make this famous) Edit : OMG THANKS GUYS THIS IS THE MOST LIKES I EVER HAVE

@-cottoncandy-

Ай бұрын

i will try

its so funny that he puts so little protection into the bots security

Let’s hope there is a Batman out there just incase NTTS turns into evil superman with this someday

Me not understanding anything:🗿 Edit: the most likes ive ever gotten is 11 and its this comment

@ilikejudgesinvideogames

2 ай бұрын

it makes no sense if you’re not a person who programs. like me.

another good reason to not make dashboards :D but fr whenever i got time to publish my bot, its just gonna be command-setting up cuz no clue how to make actual dashboards for setting stuff up

@WindowsDaily

6 ай бұрын

Making dashboards is fine, in this case the developer just made a way to give himself access to any server, but server side he didn't check if it was him, which was the problem here.

just imagine this man going to his villain arc, it won't be pretty...

Can you make a video on the new mobile layout? I just got it and god it's horrible I need help. I did some searches and apparently theres no way to revert it, it would be nice to know i'm not the only one suffering

Damn, that's a real bad one. There must be other giant holes in this dev's projects... Understandable for a "got-out-of-hand" FOSS project, less so for a commercial product with paying users.

When you get tired from telling people how to defend themselves from scams, you become a hacker.

Since auto moderation is something that technology isn't really ready for yet, you should do this to AltDentifier next.

Eva seems to be really good when it comes to Discord. Seems to be in a lot of vids now

As the saying goes, no good deed goes unpunished.

funny how i see the ad of a nuking bot before this video 💀

Literally the least he could've done was say "Thank you." But I guess when someone runs the "most secure" bot, they still have an ego regardless.

I hope you logged out and back in after showing your authorization header as that is your auth token

Bruh, you can definitely protect Vue routes in other ways! And also there should always be an API level securities e.g. protected endpoints based on roles, not by user ID even! Anyways, we need more ethical volunteers to check for stupid vulnerabilities like this... All developers are human beings, they can definitely make mistakes, it's not a thing to feel shy about. Therefore, let's put our hands together to fight the criminals who actually takes advantage of these mistakes... Thanks to NTTS for this awareness video!

@sattlerdevelopment

6 ай бұрын

I wouldnt do it by role ids since someone could exploid the support server and give itself the roles or any other way I would always do it by user ids

@md.riyasathossain590

5 ай бұрын

@@sattlerdevelopment Yes, truly it can be a secure option if you can sanitize website's input cases. Even with user ID, you can add better defences for this kind of XSS attacks. You can add some sort of Server authentications and stuffs (as I noticed the website only authorised the "hacker" by what it sees from the browser's perspective, meaning it's an exploit that can completely be done from the frontend). You can also add Public IP address checking (i think) to notify the developer that an unknown device is trying to connect to the admin portal...or smth like that idk. Either way, there are a lots of measures you can take. (Thanks for the callback, I just didn't think of that exploit.)

@iamerror1699

18 күн бұрын

Why? They ghost you, so why?

A naked man fears no pickpocket.

What's funny is captcha of course needs to fix their bot but this could be prevented by simply putting the roles below the captcha bot not have any permissions. Like a Mod or Admin role should always be above a bot. ALWAYS. It's how I've always done it.

I dont really get how you got all the source code. AFAIK for example with flask the client (browser) only gets some js that is needed to run the ui properly, but the stuff like shown there (actually using the request variable) would never be sent to the client.

The other move would be to capture your request to access that page and change your user ID to the one listed in the code.

The fields are real quiet after watching this

unironically, learning code from you just hacking into these nerds is pretty fun

I NEED TO LEARN YOUR WAYS, YOU KNOW CODING MORE THAN I DID