Firebase misconfiguration is suprising common, firebase is an absoulte pain to setup correctly as it's really confusing and easy to mess up, it looks like that's what happend in this case. Arc browser even messed this up recently
BaaS = we can't even be bothered to write and setup our own backend, so we will definitely be bothered to figure out the convoluted security settings of the BaaS platform we are using. Pinky promise
it's been more than 6 years, i wonder if they finally fixed the problem where the mismatched system clock timestamp returns the issue as "ERRCONRESET" with no feedback on what the problem actually is. trying to use Firestore in particular was hell back then.
A way to cheese at least standard mode is to mention God, or religion in some context. Was so consistent my friends and I agreed Godmaxxing is unsportsmanlike
@@skybird23333 I still think the way BobTheHacker went about cheating on the client side is pretty interesting and can make for interesting result. But up to you.
I love bobdahacker, their banner being tally hall plushies, their PFP being an incredibly cool Bob the builder. The description makes it better. I love this guy. Please god keep them alive and hacking for many years to come
The first part of the song where KSI sings, isn't bad. It's not something I'd listen to on a daily basis, but it's fine. The other guy's part is bad though.
@@Corupptedmind Next year, it won't be for 5 year olds. Based off of that grammar and the fact Discord is in fact, not dying but the staff just doesn't give a fuck, says that you didn't fact check yourself and also didn't really try to make a relevant reply.
death by AI can sometimes yield the dumbest results. Met a clone of myself, happy ending and all, and then suddenly they spit out "Xeros did not survive" at the end whilst the story insinuated i definitely did not die lmao
Two possibilities, assuming one of the two died; either the "original" died, or by coning yourself you now had two fail conditions by having two "yourself" entities.
... Client _secret_ in _plaintext?_ Oooooooof Also, as someone who is mildly technical, I think you described the chain of attack really well; You managed to show off the entire cyber kill-chain and still managed to make an entertaining video out of it. Plus it's a good insight on attacker methodology, which is always a good thing to get. Pivoting is hard :< lol
You could make it so there's a 1/20 chance that someone will get the lyrics to Thick Of It, losing in the process and they'll never know that you're the one behind it.
6:52 Front-End is the part that the user sees, Back-End is the part that manages everything behind, such as the requests the user sends to the page. It is used for reactive content, like showing your name in the page when you enter a page you're logged in.
Other discord activities aren't likely to have such obvious vulnerabilities because Death by AI, and games using generative AI in general, are made with as little effort as possible. It takes more than the ChatGPT API and a discord bot to make poker or chess.
I was watching one of your other videos and didn't realize this was a recent upload until the beginning gave it again. That was my notice to finally subscribe to you. Should've done that earlier but go figure
@@NamelessKeed No text to speech touched grass, annihilating the discord moderator out of him which leaves him unable to make discord videos. These videos are prerecorded.
Discord didn't have the vulnerability, it was a vulnerability with playroom itself. And taking 20 minutes to fix such a gaping security hole is not evident of a good job, it goes to show how easy what they needed to do from the beginning was.
That is a critical vulnerability, it's a technique called Broken Access Control. 11:27 is the most frightening anyone who launches the game could have their computer botnetted, or worse, ransomwared. Huge props to bob for making the exploit known to proper channels.
Not quite, it would be able to do whatever discord activities are allowed to do, but i assume discord has them sandboxed in one way or another for good measure.
This is why I refuse to use any discord app with special perms or wants my email. Think of all the apps that get hacked this easily and has your email saved in a database
i like how it went from "you can troll your friends using cheatengine" to "you can nuke every discord activity, scam half of users on discords platform and create discords biggest hacking incident of all time"
@@melta yh lol and its never the fault of firebase, rather the devs at arc and here for not setting up the correct security rules etc. hence why this "bug" was fixed "so fast"
@@okage_ It's 100% firebase fault imagine having the default option to have everything open and public by default instead of Idk more sensible approach in which you have to explicitly give access to resources
@@4livetv934 And imagine you're quickly trying to prototype something and you're constantly needing to tweak your access rules. One of the advantages of NoSQL databases is that there is no defined structure which makes it really easy to change and try different ways of structuring your data and stuff compared to a more traditional relational database using SQL. In firebase's defense their docs clearly outline that everything's open by default and don't recommend it for a production (prod) environment, even giving you the rules you need to completely lock it down (IIRC the dashboard might even give you a warning).
Alone Bob himself, did all that, and yet, with great power, comes with great responsibilities. And Eva teamed up with him? Truly one of the deadliest duo in bug catching.
While this went over my head way more than most videos... the one takeaway I have is that, omg, I had no idea this "Death by AI" party game was a thing, and it's easily the best use of AI I've seen so far.
BaaS = we can't even be bothered to write and setup our own backend, so we will definitely be bothered to figure out the convoluted security settings of the BaaS platform we are using. Pinky promise
the interesting thing here was the ineptitude of the initial devs. also why are Ai scripted games constantly mixed with vampires? it's wat more common than you would expect
why cheat in dbai, not all cheating words (win, survive, die) are banned. For example "Unharmed" is not blocked which is why i win a lot against my friends
there was a temporary amount of time where when I typed the letter i in lowercase the AI automatically generated a winning prompt with no strings attached the server I was in said that the AI was a simp for me lol
Psst, extensions are archives. You can download them as a crx or use a tool to get them as a zip. Then you can load the unpacked extension. No need to build the exension when chrome's web store points to a built version already
Haaacker haaaacker, komm wir schaffen das, haaaaacker haaaaaacker komm wir schaffen das! (this is German 🇩🇪 and can you let this comment fly around in the background of one video? xD
i absolutely love hackers who find a vulnerability for a bit, have a little non harmful fun with it and then report it, best kind of hackers
they are called white hat hackers by the way! the other ones are called black hat hackers
yup, my uncle is a white-hat and he is such a great guy, seems like an awesome job (yes you can get paid for it i think)
@@terrariapro147 Yes you do and its Alot
"No! You have to obey me!"
The seven hackers with rainbow colored hats:
@@chocolateimage Just use white and black, no need for hats.
imagine working your ass of making a discord activity and getting it hacked by a guy called "bob the hacker" 💀
😭😭😭😭😭😭
bob the builders new episode looks good!
how the fuck do you mane to make these connections 😭😭😭😭😭😭
IM DYING LMAO 😭 🤣
didnt work that much of their ass off because there are such simple vulns. i know it still requires quite alot of work but not THAT much
from cheating to hacking, this discord activity caught lacking
Fire
In
@@Rift0567 base
Better than thick of it
Yes
Firebase misconfiguration is suprising common, firebase is an absoulte pain to setup correctly as it's really confusing and easy to mess up, it looks like that's what happend in this case. Arc browser even messed this up recently
E
BaaS = we can't even be bothered to write and setup our own backend, so we will definitely be bothered to figure out the convoluted security settings of the BaaS platform we are using. Pinky promise
My farts are better than No Text To Speech’s farts 💨
it's been more than 6 years, i wonder if they finally fixed the problem where the mismatched system clock timestamp returns the issue as "ERRCONRESET" with no feedback on what the problem actually is. trying to use Firestore in particular was hell back then.
unless i'm really confused, the last person mentioned in the video, xyzeva, is the one who found and got rewarded for the arc bug
I always thought to cheat you just had to type "...granting/ensuring my survival" at the end of your sentence. Always worked like a charm for me.
Master Chief Armor Lock had a 99.9% success rate for my friend group
i just said "and i surveiv"
I just used minecraft commands
that or literally typing that you will not survive and it makes you survive. lol
I managed to survive by ‘channeling my inner Goku’ and flying. That’s my personal favourite survival method.
"can we hack it?? yes we can!!" LMFAO
He has a very good motto ngl
Cry about it
@@Heavygunner_rky You’ve got a point
bought account
My farts are better than No Text To Speech’s farts 💨
A way to cheese at least standard mode is to mention God, or religion in some context. Was so consistent my friends and I agreed Godmaxxing is unsportsmanlike
naw bro we tried that so many times it works for a while but after some wins the ai just shits out a way to defeat god itself
when it first came out goku was the instant win
I always said I'd just walk out / teleport away and touch grass, it failed once in 39 games lmao
For me marriage never failed NEVER same for paddington 2
for me and my friends, mentioning a JoJo Stand guaranteed a win, it was the funniest shit ever
The first half is classic client-side cheating. Not much different than CheatEngine. Nothing wrong on the devs.
That second half however, oh boy...
I mean, its not too hard to add a sig to things (which they should do because these can be broadcast to people under the name of the bot devs/discord)
thanks for telling me to skip half the vid
@@skybird23333 I still think the way BobTheHacker went about cheating on the client side is pretty interesting and can make for interesting result. But up to you.
I love bobdahacker, their banner being tally hall plushies, their PFP being an incredibly cool Bob the builder. The description makes it better. I love this guy. Please god keep them alive and hacking for many years to come
the fact the ai voice singing thick of it sounds better than ksi singing it himself 😭
The song isn’t bad
@@elitemoderntvman about 98% of the world disagrees
everyones opinion matters tho :3
@@elitemoderntvman Epic opinion but I disagree
the song isnt bad just mid
just really mediocre
The first part of the song where KSI sings, isn't bad. It's not something I'd listen to on a daily basis, but it's fine. The other guy's part is bad though.
i imagine discord staff just chillin' there while their activities are being hacked by 3657 different people bruh
Discord is slowly dying and next year it will be for 5 year old
nothing to do with discord, it's Playroom's issue
@@rxnniiee They exposed project keys in their APIs, that's not just an issue, that pure stupidity
@@AOSP-is-still-Linux my point was that it's nothing to do with discord
@@Corupptedmind Next year, it won't be for 5 year olds. Based off of that grammar and the fact Discord is in fact, not dying but the staff just doesn't give a fuck, says that you didn't fact check yourself and also didn't really try to make a relevant reply.
death by AI can sometimes yield the dumbest results. Met a clone of myself, happy ending and all, and then suddenly they spit out "Xeros did not survive" at the end whilst the story insinuated i definitely did not die lmao
meeting your clone never goes well.
Two possibilities, assuming one of the two died; either the "original" died, or by coning yourself you now had two fail conditions by having two "yourself" entities.
... Client _secret_ in _plaintext?_ Oooooooof
Also, as someone who is mildly technical, I think you described the chain of attack really well; You managed to show off the entire cyber kill-chain and still managed to make an entertaining video out of it.
Plus it's a good insight on attacker methodology, which is always a good thing to get. Pivoting is hard :< lol
as an IT student, this was pretty educational n entertaining indeed
from the beer to the keys to the car to the tree
🗣
😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂 6😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂 6😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂
My farts are better than No Text To Speech’s farts 💨
this is rizz approved
wait a minute i remember saying that
there is a bot in this reply’s, don’t respond pls
NTTS: *explaining*
Me: Wait, Discord has games?
Yes that's what I thought 🤔
how long have you used discord?
@@MountainPieEnjoyer 2017?
@@MountainPieEnjoyer I'm not the original commenter but I found out discord has games about a year after signing up
@@MasterRX56 I'm very surprised then, they've been out for almost 2 years. Just join a call and then there should be an activities button. (games)
You could make it so there's a 1/20 chance that someone will get the lyrics to Thick Of It, losing in the process and they'll never know that you're the one behind it.
0:22 IS THAT A TALLY HALL PLUSH BANNER???
Holy shit!
Yah, he's active in HITS
YEAH LMAOOO
I DID NOT EXPECT TO SEE TALLY IN A NTTS VIDEO
I'm now imagining him listening to Tally Hall, while doing this
:o
6:52 Front-End is the part that the user sees, Back-End is the part that manages everything behind, such as the requests the user sends to the page. It is used for reactive content, like showing your name in the page when you enter a page you're logged in.
The beginning is wild😭🙏
sick of it
Fron the screen to the AI game to the cheating to the hacking
Casting the Teleport spell is op and wins so often that my friends write sometimes explicitly write no magic into their prompts
I was about to say is that a thick of it reference??Goddamit my mind is shit
(It is)
Same bro I saw the notification and the end part didn't show up
Was about to say that
peak discord
????
What do you mean?
0:27 THE FUCKING TALLY HALL YOUTOOZ PLUSHIES AS THE BANNER IS FUCKING FIRE WOOOO
TALLY HALL MENTIONED 🗣🔥🔥🔥
@@Megastar54 YEAHHHHHHHHHHHHHHH WE GON PLAY IT ALL
he had such a great opportunity to rickroll everyone that has played death by ai, it wouldve been so good
No
@@inkedthedemon no, it's a yes
yes
tally hall spotted in the wild!!!
I love tally hall
They like to play it all (and hack it all)
It feels so weird seeing tally hall stuff in a random video I decided to watch
Unironically this was my favourite activity , specially with how stupid of a prompt you could put and still survive
yeah, i got "you are sky diving and your parachute fails to open"
I responded with "land" and survived
I immediately love this hacker not because of what they did to the discord activity, but because of their Tally Hall banner
Other discord activities aren't likely to have such obvious vulnerabilities because Death by AI, and games using generative AI in general, are made with as little effort as possible. It takes more than the ChatGPT API and a discord bot to make poker or chess.
I was watching one of your other videos and didn't realize this was a recent upload until the beginning gave it again. That was my notice to finally subscribe to you.
Should've done that earlier but go figure
It's so heart-breaking to see him upload even after the incident, he truly cares about us 😢😢😢 Fly high NTTS, we won't forget you 🕊️🕊️🕊️
what?
wait tf
what incident
what
@@NamelessKeed No text to speech touched grass, annihilating the discord moderator out of him which leaves him unable to make discord videos. These videos are prerecorded.
Tally Hall in a NTTS video is wild
Discord didn't have the vulnerability, it was a vulnerability with playroom itself. And taking 20 minutes to fix such a gaping security hole is not evident of a good job, it goes to show how easy what they needed to do from the beginning was.
BOB THE HACKER IS A GOSH DARN TALLY HALL FAN HEHEHEHEHEHHEHEHEHEHEHH
We're in the mini mall
@@bobdahacker working in the carnival
@@bobdahacker lmfao
@@AnonWH we like to play it all
@@kareru_mustard2084 welcome to tally hall
That is a critical vulnerability, it's a technique called Broken Access Control. 11:27 is the most frightening anyone who launches the game could have their computer botnetted, or worse, ransomwared. Huge props to bob for making the exploit known to proper channels.
Not quite, it would be able to do whatever discord activities are allowed to do, but i assume discord has them sandboxed in one way or another for good measure.
@ That’s what’s frightening about it, that’s RCE, could be used to bust out of a sandbox, or establish a shell.
@ not to mention the amount of RATs that utilize discord makes me highly suspicious there is any kind of sandboxing.
This is why I refuse to use any discord app with special perms or wants my email. Think of all the apps that get hacked this easily and has your email saved in a database
i like how it went from "you can troll your friends using cheatengine" to "you can nuke every discord activity, scam half of users on discords platform and create discords biggest hacking incident of all time"
i love how a lot of cybersec vulnerabilities always involve firebase nowadays
wasnt there one with the arc browser
lmao so true
@@melta yh lol and its never the fault of firebase, rather the devs at arc and here for not setting up the correct security rules etc. hence why this "bug" was fixed "so fast"
@@okage_ It's 100% firebase fault imagine having the default option to have everything open and public by default instead of Idk more sensible approach in which you have to explicitly give access to resources
@@4livetv934 And imagine you're quickly trying to prototype something and you're constantly needing to tweak your access rules. One of the advantages of NoSQL databases is that there is no defined structure which makes it really easy to change and try different ways of structuring your data and stuff compared to a more traditional relational database using SQL. In firebase's defense their docs clearly outline that everything's open by default and don't recommend it for a production (prod) environment, even giving you the rules you need to completely lock it down (IIRC the dashboard might even give you a warning).
"Can we hack it? Yes, we can 😎" there's no way. I'm dying LMFAO
5:39 when NTTS said this, it touched my heart
Nice
He touched me on more places than my heart
@@fallkey4822 ayo
I could binge watch your videos for hours
0:24 HALLY TALL
real
NTSS I love you man, but that intro is unforgivable, can’t believe you’d force that song upon my ears!
5:58 tally hall tally hall tally hall tally hall
Getting a casino ad of someone winning at 10:02 is quite the hilarious timing
I like how death by ai you can just say "doesnt lose" and tadam you win, i managed to mąkę my friends mad
I absolutely HATE death by AI. My friend got struck by a world ending meteor on the most intensive prompt and LIVED?! And I died.. from a frisbee.
🎶 Bob, the Hacker 🎶
🎶 Can we leak it?! 🎶
🎶 Bob, the Hacker 🎶
🎶 *YES, WE CAN!* 🎶
Having Death by AI recite the "Thick of It" lyrics at the beginning and NTTS laughing as it did was more than enough to send me to the floor... 😭😭🤣🤣
0:23 Tally Hall spotted
Yeahhhh
OMG I JUST REALIZED THAT
for some reason I thought I was watching Fireship so I got really confused when you said you had never heard of firebase before
The moment I heard Firebase getting mentioned I knew eva was going to be involved
it is the firebase sabateur :3
as a dev, with all the firebase stuff coming out in recent time, I "oh nooooo"-ed the second i heard firebase
Me and my friends found that either telling a trusted adult and saying you dont consent or straight up saying i have a "anti-___serum"
you mean these make you win the game?
@@seaofmadness420 yeah mb all for just not adding that
Can't forget random glitches. Once played it with a few friends and, despite saying someone had died, *they ended up living anyways.*
15:07 i wonder whats for dinner
My new favorite RUclipsr, keep on going hopefully you'll reach 2m subs in no time
So is this why on Halloween when I tried to play Death By AI, Discord said I started the activity "NoTextToSpeech is a Femboy UwU"?
Its crazy how I've probably heard "I love you" more from notexttospeech than an actual girl
Eva... firebase's worst nightmare
i remember my friends got mad at me because i kept on saying “Nah, I’d Adapt” and survived most of the time
Basically in 8:00 , bob wanted to check what could be accessed
Didn't want to confuse yall so
"does firebase lose to waterbase?" is diabolical💀💀💀
Just got KSI-ed and brought into the thick of it...
Fly high NTTS, we won't forget you 🕊🕊🕊
This video had hell of a start oh my gods
Alone Bob himself, did all that, and yet, with great power, comes with great responsibilities. And Eva teamed up with him? Truly one of the deadliest duo in bug catching.
Nah That beginning was insane
“did your player die?”
“alas, yes, but they survived!”
While this went over my head way more than most videos... the one takeaway I have is that, omg, I had no idea this "Death by AI" party game was a thing, and it's easily the best use of AI I've seen so far.
I managed to win 90% of the time by using the power of friendship. Yeah, my strat was swiftly banned by my friends
AI could literally sing “Thick of It”….
*Thats all I ever wanted*
same
AI covers are all the rage rn
I don't know if I should be happy or sad that I completely understand everything 😭😭😭
Did the cheating part get fixed? Because when I use the Requestly rule everything turns white instead of showing people's survival strategy.
i think it did get fixed, i also get a white screen whenever i use the requestly rule
BaaS = we can't even be bothered to write and setup our own backend, so we will definitely be bothered to figure out the convoluted security settings of the BaaS platform we are using. Pinky promise
0:01 from the 📺
to the 💍
to the 🖊️
to the 👑
where’s my 👑
that’s my 💍
always drama when i 💍🔥🔥🔥🔥
from the keys to the beer to the car to the trees wheres my budlight thats my drink always trauma when i ring
5:07 "But it refused" 😭🙏
13:33 man this is to true
FRRRRRR
9:33 Bob’s a based Postman user
IS THAT A TALLY HALL REFERENCE!!!?????
love of the s*n
yes it is
balling hall
what
tallied hallways
I love the idea of using this a couple times to troll your friends but if you unironically use this to cheat for real that's just beyond sad 😭
2:08 gamblecore
I cannot help you with that. Your profile picture may be inappropiate.
aw dang it!
@@Likemea it's not
ntts advertising piracy for requestly is something i must love about this video
not piracy, it tells you how to build it in the github repo
i tried it... its patched
Yooooooooooooo the tally hall plushies in the back of his banner brooooo!
is that a fucking tally hall banner
The No tts upload schedule is worse than inflation
It's always firebase
the interesting thing here was the ineptitude of the initial devs.
also why are Ai scripted games constantly mixed with vampires?
it's wat more common than you would expect
cuz this was prob recorded on october
why cheat in dbai, not all cheating words (win, survive, die) are banned. For example "Unharmed" is not blocked which is why i win a lot against my friends
I had the AI say I survived but then went through how I got extremely depressed and revoked my own lifetime subscription 😭
there was a temporary amount of time where when I typed the letter i in lowercase the AI automatically generated a winning prompt with no strings attached
the server I was in said that the AI was a simp for me lol
I wouldn't blame it tbh 😳
9:50 They did the programming equivalent of not having a passcode on your phone LOL! Who in the hell is technical lead there 😂
Ntts is the perfect example of how not to be a naive 7 year old 😂
2:35 Your humour is the best 🥇🤣
14:22 girls get it DONE
Psst, extensions are archives. You can download them as a crx or use a tool to get them as a zip. Then you can load the unpacked extension. No need to build the exension when chrome's web store points to a built version already
"From the screen 📺 to the ring 🥊 to the pen ✒️ to the king 👑 " 🗣️🗣️🗣️🔥🔥🔥
"Where's my crown 👑" 🗣🗣🔥🔥
@@TheDucky16 " that's my bling 💎" 🗣️🗣️🗣️🔥🔥🔥
@@CreppyMC"Always trouble when I ring 🔥 🔥"
The intro bro 😭🙏
Haaacker haaaacker, komm wir schaffen das, haaaaacker haaaaaacker komm wir schaffen das! (this is German 🇩🇪 and can you let this comment fly around in the background of one video? xD
lowkey might play this game with the boys again just for kicks and giggles