I exploited existing YouTube videos with a fake Patreon profile
lucas03.comI find this partially interesting but mostly lucky.
I don't see this hack raking a lot of dollaroos. "stealing" someone's account would be far more dangerous. That said I'm surprised that Patreon will just let people recycle accounts like this without even a second step.
This is no different than DNS parking after a domain fell off the wagon, only with direct revenues.
Not lucky- just deceptive. Deception is what scammers do, and they do it because it’s guaranteed to make money, not because they hope to get lucky.
I’m not advocating this. Doing this was wrong, and it’s not some black hat exploit. It was a scam; pretending to be someone to make money off of an unwitting victim.
Interesting! Lot’s of more active scams like this happening in merchandising. I started doing merch for YouTubers back in maybe 2007 and in the last 3-4 years the scams have really picked up.
For some time the most well known youtubers would receive spam replies on all of their tweets with links to counterfeit merch sites.
If you search for the the top handful of YT creator names on Amazon or eBay you’ll find loads of bootleg merch (sometimes with hundreds of reviews!)
Digital locksmiths here are generally applauded as ingenious. This tale is not at all surprising except that the OP fessed up in the end. The morality aspect is moribund, in an ocean of tracking, data mining, fake accounts, yes fraud, and the general disregard for other peoples hard work (those you don't see, you don't feel for).
is this an exploit I remember there was an "exploit" that reregistered the urls from old tweets of celebs or verified users that had used now expired link shorteners
The technical summary here seems to be: patreon shouldn't allow usernames/url slugs to be reused.
Wire fraud attracts fairly stiff penalties....
I'm not a lawyer but I got lawyer-nervous reading this post.
That’s because it’s fraud.
Nah. It's not fraud if they don't get any benefit from it. Since they refunded the single, solitary person who pledged $3/month, then shut it all down, it's all good from the fraud angle.
It's wire-fraud and it's a federal crime. "Refunding people" doesn't change the fact that a crime has been committed, period. This isn't a legal advice.
I am not a lawyer, but I doubt refunding your fraud victim after the fact gets you off the hook for fraud. If the victim or the police wanted to pursue that.
I think it might make it difficult to prove intent to defraud if you immediately return the cash. Is it theft if a magician picks your pocket but then returns the wallet at the end of the trick? By the most technical sense of the term, it might. But i can't imagine a prosecutor that would go after something like that.
I see what you're trying for but I don't think the magician analogy is accurate. Bare minimum you agreed to sit and watch the magic show, and every time I've seen a magician involve the audience they always start with "Can I get a volunteer?", at which point it's clear you're a willing participant (yes, you don't know what's about to happen, but the magician gives the wallet back after so it's clear about the entertaining show and not an example of the magician attempting to commit a crime)
> Is it theft if a magician picks your pocket but then returns the wallet at the end of the trick?
If a "street magician" randomly picks my pocket out of the blue, you can bet I consider that theft, even if they give it back afterwards. They'd better get my consent to do anything with my person or my property.
Clearly there was no intent to defraud. He was testing for a security issue and promptly returned the money of the one person who was fooled.
A dead comment asked if stealing 100 dollars if fine if you give it back.
So I'll chip in that for basic theft, one of the core elements is intent to permanently deprive the original owner. So if someone steals money, changes their mind, and then returns it, that's still theft. And taking money to spend, with a promise of returning money later, still counts as theft. But if the intent all along was to return it the next day, stored safely the entire time, that's not theft.
Obviously intent is hard to prove, so don't try to pull that off without a lot of evidence and/or a very understanding target.
> But if the intent all along was to return it the next day, stored safely the entire time, that's not theft.
Legally, this isn't even remotely true.
If you deprive someone of their legal possessions without permission, even with intent to return it later, you are guilty of theft.
There is no loophole that allows you to temporarily steal things as long as you intend to return them.
Intent only comes into play if the person had no intention of depriving the other person. An example would be if you accidentally pick up someone else's jacket because you thought it was yours.
Permanent deprivation seems to be the more common standard as far as I can tell, not just deprivation.
The difference isn't a loophole.
I'm fairly sure if you steal something with the intent to return it 5 years later you will still be charged with theft.
No, theft is theft, regardless of whether or not you return the item later.
There is no loophole that allows people to temporarily steal things as long as they kindly return them later.
The parent isn't claiming that it's legal to take something so long as you have intent to return it. Just that the standard definition of theft requires "permanently" as an element, and maybe taking something temporarily would be some other crime.
See the model penal code[1] "(1) "deprive" means: (a) to withhold property of another permanently or for so extended a period as to appropriate a major portion of its economic value, or with intent to restore only upon payment of reward or other compensation"
See [2] which mentions the "permanent" requirement three times.
[1] https://archive.org/details/ModelPenalCode_ALI/page/n207/mod...
[2] https://www.findlaw.com/criminal/criminal-charges/theft-over...
We’re so deep into pedantry that we’re missing the point of the conversation.
To clarify, most jurisdictions have definitions of theft that will be true even if you only deprive the person of their property for a short period of time:
> Today, many states have extended the definition of theft to include depriving the owner of the property even for a short period of time, thus rendering unauthorized borrowing as theft.
From https://lawshelf.com/shortvideoscontentview/theft-crimes-a-s...
So yes, maybe there is some jurisdiction somewhere that wouldn’t define unauthorized borrowing as theft, but chances are good that if you borrow something without authorization, you can be guilty of theft (among other things) in most jurisdictions.
> No, theft is theft, regardless of whether or not you return the item later.
Theft generally (specific statutes may vary!) requires intent to permanently deprive; if you don’t have that, its not theft.
It may be another crime, and its almost certainly the tort of trespass to chattels, so its not “allowed”.
Everyone in this thread should read
www.criminaldefenselawyer.com/resources/criminal-defense/criminal-offense/what-difference-between-joyriding-stealing-a-ca r
How was this fraud? He simply created a Patreon account. Yes, it happened to be used by someone else previously, but how is that his fault?
> Yes, it happened to be used by someone else previously, but how is that his fault?
Fraud is deception with the intent of personal gain.
He wrote and published an entire blog article entitled "How I exploited existing youtube videos with a fake Patreon profile" in which he describes how he registered a Patreon account with the expectation of deceiving users into sending him money.
Didn't he also use images from the youtube channel to make the patreon account look like it belonged to the youtube user?
Why are you asking me?
it's called "responsible disclosure" though this is not 100% responsible. lol
"I discovered this neat new hack called 'fraud'"
He confesses that it was a black hat "proof of concept", but he's refunded the money and reported things to Patreon.
Patreon, and ANY website that has user's profiles as permalinks, should reserve ANY account name that has been deleted to prevent squatting.
I'm not sure how this works with the right to be forgotten laws though; I have a gut feeling that you can have your profile deleted and the leftover URLs and permalinks just go to 404 or other kinds of placeholders.
Wouldn't the proper status code be "410 Gone" in that case?
Then you are leaking info about previous (or private) existence of the resource. If I recall correctly github does 404 for existing private repos, for example.
This post is wild. The author does not seem to realize they are confessing to a relatively serious crime, and even calls it a "profitable business"!
The writer at the end refunds the money and messages Patreon to fix the issue, I think that would go massively in his favour in the rare change it ended up in front of a judge.
Yes, this is called white-hat or ethical hacking, a well-established concept even at the government level.
I was going to leave this alone, but it's important to point out this is not white hat..
This world still be black hat (or arguably grey hat)...
White hat would have been realizing the possible problem and informing the company without actually making the account (or, with only making the account or prove the link, but not taking money from anyone)
You could possibly argue that if the author "cheated himself" only, that's okay... E.g. paid themselves through patreon... Assuming the author eats the cost difference and doesn't refund.
The author actually defrauded unaware visitors, intentionally, he has caused harm to them, patreon (financially or good will/name), and the money transfer networks; this is at a minimum grey hat... Sure, the end user donating was made whole, but other business entities were harmed... Someone eats that transaction fee.
No it isn’t. White hats are very careful to ensure that their work does not affect other people. “I gave the money back” isn’t good enough.
This is not always possible, however. How should the hacker have proceeded in this case?
By stopping. If it is not possible for you to penetrate a service without causing disruption or harm to others, then you stop. You could reach out to the business and say "hey, you should consider checking this out" or asking if they offer some sort of test system for pentesters. But sometimes the result is just to not proceed at all.
If he'd _needed_ to test payment (arguable), he could have created a 'real' account, deleted it, squatted his own deleted account, and sent payments to it himself.
Pushing beyond the account creation step wasn't necessary. Enabling the payment functionality is where it deviated into black hat territory.
Legal consequences aren't the only form of consequences. In this post the author mentions their (legitimate) business.
If I was a potential customer looking into said business and found this post I would be very offput by the lack of morals. The strongest condemnation we receive for literal theft is they "didn't want to", the author barely even seems to understand why their behavior is immoral.
Did you read the post to the very end? I don't see anything immoral, he just spotted a weakness in Patreon, warned Patreon and wrote a blog post about it. Nothing wrong here.
Yes, I did read the post until the end.
The author makes no mention of warning Patreon about this weakness, unless you're counting this blog post as the warning.
They clearly attempted to impersonate the original owner of the page, using a description and artwork suggesting they were the original owner.
The second to last paragraph features the author fantasizing about how much money they could make by defrauding people. Quote: "This plan could be pretty profitable!"
Like yeah, in the end they took down the page and refunded the patron. But the author made the wrong choice at essentially every step prior to that moment.
The author didn't just "spot a weakness in patreon", they attempted to (and managed to) commit wire fraud. The fact they had little success and later returned what they stole is relatively little consolation.
You're right, I'm the one who misread the end, I thought the author said he wrote to Patreon, which doesn't seem to be the case. This is not great...
Not as uncommon as you think. Many people realize without knowing much about the law that breaking the law can be a great business plan. They just converge upon ideas that are illegal naturally and unperturbed by the potential problems.
Ironically this is also a bit of an entrepreneurial advantage. A trained corporate management drone will be aware of all the bad things that can happen and has been paper trained by lawyers to be frightened of doing anything illegal. The sweet spot is when it's something that's just slightly illegal or just a matter of civil law, but the danger zone is in something like this which is just fraud.
They "made" €3, which they refunded.
Social engineering is a hack.
I never said it wasn't.
I am just saying that in security, while it can be very difficult to always find where the line between ethical and unethical conduct is; and what will get a company to pay attention to an issue without getting yourself arrested;
What I AM saying is that this person blew so far past that line that I wonder if they are even aware that one exists. All without even considering that, maybe, "that time last week when I committed wire fraud" probably isn't the best topic for a blog post.
Do I think that the author was acting maliciously or in bad faith? No. But the US justice system has a really nasty habit of not taking facts like these into account; as Aaron Swartz tragically learned.
Tl;dr "it's just a prank, bro" is not an effective legal defense, and prosecutors fucking LOVE convicting hackers.
Not legal advice.
Why fraud? If we are talking about criminal law, the requirements to convict a person are strict. In this case the author has not claimed neither on Patreon or YouTube to be someone he is not. He has not falsified any data/documents and has not stolen any account, since the one he claimed was available.
Sketchy? No doubts. Fraud? Doesn't seem like it at all.
> In this case the author has not claimed neither on Patreon or YouTube to be someone he is not
I am not a lawyer, but using someone else picture and name sounds a bit of "claiming someone you're not" to me :)
In the UK it could be technically counted as fraud by false representation. The legal hurdles for this are:
* The patreon page was misleading (this post shows it was, including the use of old links and imagery to show association to a YouTube channel which was false)
* The person making it knows it might be misleading (they did - they said so in this post)
* The intention was to make a gain in money for themselves, others or to cause a loss to someone else. This includes situations where the gain in money is only temporary (again, technically yes.)
https://www.legislation.gov.uk/ukpga/2006/35/pdfs/ukpga_2006...
I'm not saying they should be charged with it as clearly they didn't mean to cause harm and were doing it to raise awareness, but it does seem to fit the definition.
Simply putting your name on patreon to be someone else's youtube username, and doing so deliberately for financial gain, could be considered fraud...
best marketing strategy ever
however, what you are doing is illegal...
This is just fraud nothing more or less. It's not even that interesting of an exploit and especially not worthy 689 words.
please submit this to HITB white papers - https://twitter.com/HITBMedia/status/1359324451976843267
You'd think somewhere they'd expand what "HITB" means.
As far as I know it means “half in the bag”.
In this context it’s Hack In The Box, a security conference.
ps: you should consider automating the process.
a bot that: 1. scraps all pateron links 2. check if they are dead to claim them 3. of a famous channel 4. profit $$$
Can he automate his prison time too?
Not related to the subject of the post, but for anyone interested OP seems to run a stock portfolio tracker for dividend investors, which he mentioned briefly (his blog mostly concerns his investing endeavors). It seemed pretty cool to me and is in need of support, so I'll leave the link here: