IF YOU GOT SCAMMED BY THIS, PLEASE READ ME :) 1. Before changing your password, delete the scam bookmark. 2. Then once you do that, change your password.
I'm honestly surprised that people are managing to do this. Most people that try to verify in a server can't even follow instructions to verify by clicking an emoji or copy paste a certain command
ikr? On my MC server, people kept struggling with the verification/discord linking. it literally says in-game "click *here* to get your code" (here being red and underlined), it's written into your chat to copy paste into Discord. nope, too difficult. some people are dumb.
Because their employees are entirely incompetent. Discord support is almost non existant, and when you do get a reply it's some half assed copy pasted crap.
@@stars227 Yep, exactly. And the only features they work on are the ones people aren't asking for. I had full access to my account, but needed them to change my email address because it was no longer accessible, and they told me to create a new Discord account. Their support is useless.
I dont know what discord employees you guys are emailing, but back when i got hacked they replied back in two days and disabled the 2-factor authentication the hacker set up on both of my accounts (yes i got hacked on 2 accounts. Im a bit stupid)
Also of note: _Reauthorise YAGPDB if you have it..._ it doesn't actually make use of the *Join Servers for you* permission, and it's been removed from its default scope for a while now... 😅
I deobfed and reverse-engineered the script, and here's what I found: - The JSFuck portion of the code evaluates to "fortniteamongustycoonlol" (from a base-64 decode.) - The RE protection is more clever than one might think; the globals array is mutated until a specific alignment is reached. - The script registers its own module into Discord to access other modules. - The script can detect said module if the code has already been run. - jesus fuck it was annoying to reverse-engineer
So basically. A basic feature on most browser rats them out? That's kinda cool. Imagine being a hacker/scammer and you got ratted out by a simple function like hovering over a bookmark.
4:35 yes it is possible actually, honestly it's very likely to happen considering fact you won't even realize what thing added you to some weird server BUT that's very much all they can do by authorizing you to their app (again, only by authorizing you, of course they can do everything when they have your token)
I think they WOULD want your account. Seems like you have so very valuable information on how to get a girlfriend. Those scammers will need it to actually get a girlfriend.
I think the tokens are fine, but only if they are wholly unique per device. If the same token shows up on two devices, the system should immediately deauthorize it.
@@mallusrgreat thats not what they mean its per device so each device has a different token and if one is stolen off one device you would then have to relog in because the token was stolen on that device.
This scam exploits the fact that if you put "javascript: (code here)" into a URL bar in a browser, it executes the code on the current website. You can try it here on RU-vid, actually! Try copying: "javascript: alert('Hello, World')" into your browser bar (without the double quotes). It'll create an alert popup. Now, where am I going with this? A bookmark is basically just a hyperlink embedded in a bar in your browser. If you click on the bookmark, it'll bring you to whatever page you bookmarked, just like a link. The catch is, that also means if you put JavaScript in a bookmark, it does the equivalent of putting the JavaScript in your URL bar (There are intentional versions of this, called bookmarklets. They can be useful, though they aren't malicious, they're basically just advanced JavaScript macros). Additionally, the JavaScript in the URL bar can access all of your local client data, due to JavaScript giving any other script running on the page access to the scope. So, how do you protect against this? There are two main options: 1. Don't add/open any bookmarks you didn't create yourself, or you haven't checked over to make sure it's safe. As I've said, not all JavaScript bookmarks are bad, but they often can be, so be cautious and check bookmarks you didn't create. 2. Don't use a Chromium browser. I'm not sure I know of any Chromium-based browsers that aren't vulnerable to this, as they all support running JavaScript in the URL bar for some reason (You shouldn't use Google Chrome anyways (has Google trackers embedded in the browser, terrible performance) or Opera (purchased by a chinese consortium and contains injected spyware), Edge is fine for now). I highly recommend using Firefox as your primary browser, no matter what, as it's more performant that Chromium, blocks these sorts of attacks, prevents trackers from following you on the web, and doesn't track you itself. You'll be much safer on the web using it. Edit: Oh yeah, forgot to mention, these attacks can also be injected in hyperlinks or buttons. This is why sites typically don't let you manually create them, and if they do, they filter them. You can set a button's "onclick=" to JavaScript, just like how you would in a browser bar, and you can set a hyperlink's source to JavaScript, and it will do the same. If sites let you create hyperlinks manually, you could quite literally steal people's usernames and passwords with nothing more than a hyperlink.
I didn't go through with it, but I searched for the suspiciously dangerous "verification" method from the supposed MEE6 bot and found it described here on your video. Thanks. When Discord server admins have their Discord token stolen it's "hell to pay" in their community as admins get kicked from their own server!
It's incredibly stupid that JavaScript bookmarks are still a thing. They're pretty much completely obsoleted by extensions and pose a huge security risk.
I use JavaScript bookmarks for automation tasks, but then again I'm a nerd who uses JavaScript for automation... Just like every tool, they have a use, and just like sledgehammers they can be misused to devastating effect.
Discord needs to fix these scam issues one way or another. If they don't do it soon I don't see it going well for Discord in the future. or alternatively, people can just use their brains :P
Being a verified bot developer i know for fact that bots cant send messages or make you join servers! Dont click on sussy links (make sure the dashboard links do belong to the bot , the domain of the url should be accessible by some command) Thats it.
thank you for covering this, its been happening to me, i turn on my phone and im in a rando server ive never heard of, but i didnt do the bookmark thing, but thanks to you, i fixed it
I thought dyno is a very safe bot so i press into the link and do everything it ask. Thanks for posting this video to let me know that its a scam. I've always wondering why there is new server when I turn on my laptop.
@@chri-k normally my school wouldn't allow my chromebook to use the inspect element. By using a bookmarklet I could use it and return the output using an alert.
hey you were right about the authorization part the only thing is they can also add some weird things which basically access your ip and sell that stuff because that all can be accessed through the console too and other stuff. surely not written by an java coder.
nobody is gonna sell your ip. it's not a 100% accurate indicator of location and it gets changed periodically by your isp. also your ip is given out to literally every single website you visit so it's not hard to get either
@@dylon4906 That is not entirely 100% true. Your IP is basically your web address and it doesn't always change. For example, I'm still living with my parents right now, and they don't pay for a static public IP address, yet the public IP address hasn't changed in years. Not to mention that the only time it did change was with a new router on a new package with a whole new configuration. Unless your ISP is different, IPs are still a great resource to track people across websites and harvest data for purposes such as advertising and identity building. Your IP is not always geographically accurate, but it's also generally pretty easy to decipher what ISP is providing your service, and with a little social-engineering or backdoor services, you can find out exactly where somebody lives. It's less common nowadays, but this was a bigger problem 10 years ago.
I'm amazed and baffled that are a feature in . Does anyone use them legitimately any more? But to answer your question, yes, they do see use from time to time. If we removed every feature just because a scammer used it at some point, we'd stop using computers and mobile devices altogether and be left with old analog TV sets. Oh, wait, those are used for scams, too, only they call them "advertisements".
those x blocks are characters like "f" or any unicode character, but its a link that a computer use to get a character from it's memory instead of displaying. Mostly used for unicode characters that aren't on a keyboard.
i would have never for the life of me thought you can run js code just in your bookmark, lmao! imo every web browser need to either run a check on the js script before putting it into the bookmark, or just straight up disable the feature. these scams man, they're getting quite wack
It does! I have a few bookmarklets for things like special static URLs (such as Wikipedia's /wiki/Special:Random), utility functions (such as evaluating code quickly/on mobile, bypassing some adblockers, or loading an external script), etc.
not only chrome, any browser can run Javascript from a bookmark. Mozilla has a whole guide on how to use them. It’s a unique way to replicate extensions without having to publish your extension to the web
Damn, these scams are getting so obvious i can't even make a legit Wick verification system because people are leaving because they think it's a scam on first sight, now Dyno too?
is no one going to talk about how that one notepad++ page he has open says "hi what is up guys today we will be making a tutorial on how to talk to girls"
I think it's using a thing called JSFuck, its a version of javascript translated to the 'brainfuck' coding language (thats what all those []{}()!'s are)
no, JSFuck is regular JavaScript but you abuse type nonsense and class nonsense to make it extremely unreadable, and it ends up looking like brainfuck as a side effect
