i just saw a vid on youtube :
http://www.youtube.com/watch?v=embdtwW-sSE&feature=channel

question : how do someones make those thumb-ups ??? 20,000 and more ?
is it real to hack youtube ?

Lol, did you just post the wrong link or what 8-) ?

technically correct link as this is the one with thousands of thumbs up.


But the content....

well .. i do not care about the contet of this video .... but those thumbs ups .... how they do it ? is it a simple scipt ?
this video is really a shit .... and it is unbeliveble, that this video has so much thumbs up ! so : what is the magic ?

Ah, I wasn't looking at the thumbs .

But the video has been watched by more than 2.8 million people, so it could be possible to have 15000 thumbs...
Then again, maybe it's possible to use a proxy and do the thumb thing again.

yes but it is still a lot of work unless it can be automated. I too think it is because of the number of times this has been seen.

20000 is only a small fraction of 2.8 million

anyone maybe try using an automated app to use google translate as a transparent proxy and just replacing the x-forwarded-for header? simple loop, simple random ip generator...

am i just blind or what are the thumbs-ups you guys are talking about? do i need to be logged in to see them? (ie. give a rating?)

look at the comments below the video

people can rate users comments with 'thumbs up' or 'thumbs down'

well, it's definitely not to do with url-tampering in the xmlHttp requests. i've fiddled with all the possible url parameters.

if, however you manage to get a csrf or xss hole, and there are a few i know of in youtube, you could embed it using something like <img src="http://uk.youtube.com/comment_voting?a=1&id=[commentID]&video_id=[videoID]&old_vote=0">
both the commentID and videoID can be extracted from the page source as the javascript link, but i'm sure you can figure that out. easiest way i know of is to use firefox with the firebug addon. or just search the page source for the voteComment calls. did this help?

EDIT: alternatively, if you want to sabotage your rival's thumbs-up hits, just change the a=1 variable to a=-1. also, as far as csrf and xss goes, it'll oly give one hit per user, and they have to be logged in for it to work. if you modify the a variable (and this includes null byts and csrf injections) it'll only return an error and no hits will be added, whether negative or postitive.

EDIT II: please don't ask me to disclose the csrf or xss holes. not even through pm.