search

Anarios / return-youtube-dislike

Chrome extension to return youtube dislikes
https://returnyoutubedislike.com/
GNU General Public License v3.0
12.54k stars 561 forks source link

Creator dislike submission #392

Open aryavsaigal opened 2 years ago

aryavsaigal commented 2 years ago

FOR THE CREATORS They install a browser extension which gives them a unique key, they upload an unlisted video and use the unique key as the title, paste the video url in the extension and click a button, afterwards they visit studio.youtube.com (?) and a sign comes that specifies that its getting the dislike data, then another which says it sent the dislike data and another which says there was an error insert http code here

WHAT THE EXTENSION DOES Upon install the extension fetches an api endpoint (GET /creators) which gives it a unique key. After getting the video url it sends the video id to the server (POST /creators) which returns an api key that is saved securely. Every time studio.youtube.com is loaded it gets the dislikes, sends the data (POST /votes/submit) with the data and api key (for auth).

WHAT THE API ENDPOINTS DO (mind you im not good at cryptography so try to get the basic idea from here) for GET /creators: Generates a unique key and stores it some where for POST /creators Fetches the video id's title and uploader's channel id, if the title is the same as any unique key which was generated then generate another key, attach the channel id to it and delete the unique key (or mark it as used if deleting is expensive). Return the API key For POST /votes/submit The dislike data can only be incremented Since there is authorisation which tells us which channel sent the data we check if the video ids belong to that channel or not. Update the data and send some cool http code

WHAT THE SERVER NEEDS TO DO 1) It needs to go over all the dislikes the creators submitted at a set interval and find out whether a) it is being updated regularly, if not then attach some level of warning which the ryd extension will show for that video. b) if the dislikes are increasing in a way which is believable (compared to the videos views and likes increasing) if this does not happen then we do a manual check on them (maybe) and blacklist them if theyre tampering with the dislikes

2) The server needs to store video ids to channel ids so we dont have to keep using the youtube api to verify that the videos the creator sent really belongs to their channel.

OTHER STUFF Since the API does not allow to reduce the dislike counts and if there has been a significant dislike reduction on a video (for whatever reason) the content creator can contact us and give us an api key temporarily and we manually check and update it. To bring trust we can upload the script to do this on github or somewhere and do it on a voice call. On the voice call we can show the checksum of the script and compare it to the github scripts checksum. This will happen rarely so it shouldnt be an issue

WHAT THE RYD EXTENSION CAN DO For the 2nd point in the backend heading the ryd extension can send the channel id for the video theyre watching (the channel id should be present in the page) and send it to the server, if multiple ips report the same channel id then add it in the database.

WHAT THE USERS CAN DO Report skewed dislike counts, if multiple people report it then a manual check is done? (or a more resource heavy but accurate check than what the backend is doing at set intervals).

thanks to @JRWR for originally suggesting this

cyrildtm commented 2 years ago

Just want to point out, if I understand the whole process correctly, then there is a vulnerability that anyone can use. After the initial authorization and authentication by uploading an unlisted video with public unique key, I can replace the entire youtube website with a local private host, effectively giving myself a MITM attack. But rather I can just replace the dislike number in each video, while everything else can actually be fetched real-time from the official server.

aryavsaigal commented 2 years ago

Just want to point out, if I understand the whole process correctly, then there is a vulnerability that anyone can use. After the initial authorization and authentication by uploading an unlisted video with public unique key, I can replace the entire youtube website with a local private host, effectively giving myself a MITM attack. But rather I can just replace the dislike number in each video, while everything else can actually be fetched real-time from the official server.

That is indeed true, this should help prevent it to some degree

It needs to go over all the dislikes the creators submitted at a set interval and find out whether a) it is being updated regularly, if not then attach some level of warning which the ryd extension will show for that video. b) if the dislikes are increasing in a way which is believable (compared to the videos views and likes increasing) if this does not happen then we do a manual check on them (maybe) and blacklist them if theyre tampering with the dislikes

The dislike data can only be incremented

jetbalsa commented 2 years ago

So, This is written a little incorrectly. The basic flow is this:

The following risks are as follows with their outcomes and mitigation

With my suggestions, it takes most of the work out from us and moves most of the gathering logic to the creators browser and with that we can show them the exact data we are gathering and gain their trust!

cyrildtm commented 2 years ago

Well that's the point of hosting my own fake site, so I can write an automatic routine and keep some or all video's real like & dislike counters in an internal database, and perform a "beautify" function before reporting to the user (the dishonest creator).

The function must be monotonic, so it meets the plugin's requirement that it always and only increases. But for example instead of increasing by 100 I can only report 1.

Then I can spawn a thousand new channels uploading idk very authentic bot videos and do the same thing with the plugin, and finally I can provide this discrepancy as misleading evidence that "this plugin is inaccurate for a thousand small content creators". Sure we can provide our own plugin user data and point out that they are way off, but public trust is lost.

Also the plugin's user population is way smaller than youtube users. It's not sophisticated math to work out a sweet spot that the fake dislike count is bigger than the plugin user reports but still smaller than the real one hidden by youtube. As long as there is a significant margin then it's profitable.

jetbalsa commented 2 years ago

So we still have the human element here, We going to allow someone to register that many channels under their name or even in bulk? I mean sure, once the userbase grows where we have a few thousand channels, but most creators only have a handful, A validation workflow for a channel would be required to gain a key. This alone would stop most attempts to game the system. Don't forget that users can still report a channel to us, we can then hand check what is going on and maybe require manual reporting (screenshots, video, something) to prove its OK.

Your issue arises if the whole thing is automated, but even just having a ticketing system in discord would slow this right down.

Don't forget, we have ban hammers and can deal with creators. Also don't forget that the numbers we are using are for the end users. so detecting that a video with a set of the userbase disliked the video and the delta is /way/ off could be detected. along side with user reports on awful videos to be hand checked if it gets reported too much can be investigated.

cyrildtm commented 2 years ago

Okay maybe this can work, but it really needs a lot of data from a lot of plugin users.

Check the plugin user's usual voting behavior, and build a profile. It covers how well the user's like and dislike lines up with others. From here we can build trust on this particular plugin user. Given that all users- with and without the plugin - dislike a video at a certain rate, how likely is this particular plugin user gonna dislike or like? This requires historical data as we need to know about the videos that the plugin user disliked prior to the API shutdown. Then reversely we can project how likely a certain video should be disliked by the general audience given plugin user's dislike count.

This entire thing is based on probability and even with straightforward Bayesian formulas I still don't trust it. I can argue that the model is unreliable: I treat all channels equally, and the behavior of a user is assumed to be the same across different channels, assumed not to change over time, and assumed to be equally active over all times. It's not true at all.

As for the human factor. Witnessing social media attacks and misinformation all over the place nowadays, I don't think anything is impossible. Since this plugin is only a small player, public trust is easy to destruct. I can split one hundred thousand currency units to a thousand people and ask them to do the same thing, each with their real identity but the right to hide it from the unofficial you and the chance to cover it with a fake. Once this plugin's method is proven vulnerable, public interest will move on, and not even the basic function we have as of now will be trusted or used. That's how social media works isn't it?

cyrildtm commented 2 years ago

Also don't forget that the numbers we are using are for the end users. so detecting that a video with a set of the userbase disliked the video and the delta is /way/ off could be detected.

Your data is always way off. This plugin only has no more than two million users at Chrome extension store. Billions of people are watching youtube everyday, according to the Internet. Your delta is 99.9%. It's your projection and the real dislike that you want to match. Currently linear extrapolation is being used (or at least claimed), and it's pretty accurate. All I want to do (and I need to do) is to show your projection is off, and this can be done by providing massive fabricated creator data.

Once this extension catches up its momentum, you can no longer keep anything away from automation, meaning you can't do authentication on Discord. Then you will need routines and algorithms that costs money and time. Is it a FOSS project can achieve?

sy-b commented 2 years ago

@JRWR @DARKDRAGON532 Your proposed methods can prevent bot attacker to a good level but how are they going to deter rouge creators? @cyrildtm's claim is still valid for that

Also the reason to give the backend the access to creator's dislike (using OAuth & API) is to prevent forging of data.

The method assumes a bunch of things but doesn't describe them specifically

eg.

cyrildtm commented 2 years ago

Also the reason to give the backend the access to creator's dislike (using OAuth & API) is to prevent forging of data.

Agreed and Thank you. Polling official data directly is both the right and easy way. But then there's trust issue between creators and developers. Currently OAuth gives you access to a lot of data of business interest other than dislike count, but at least it's manageable and there may be a solution**

** jk we can't ask youtube to make a separate permission just to see dislike counter can we lol

coldcanuk commented 2 years ago

I agree with the overall logic. How do you scale a dislike button scraper? How do you scale such a scraper for free?

You can create a paid-for version. I think a commercialized extension is the only sustainable direction. A business model that relies on YT "not" resurrecting the dislike counter is also not a confidence builder .... No matter how hard you try... So there's definitely an uphill struggle here.

I can see why Linus was suggesting some morphing of Tube Vanced & RYD.

Get Outlook for Androidhttps://aka.ms/AAb9ysg

From: Yvon Cui @.> Sent: Friday, December 31, 2021 12:59:32 PM To: Anarios/return-youtube-dislike @.> Cc: Subscribed @.***> Subject: Re: [Anarios/return-youtube-dislike] Creator dislike submission (Issue #392)

Also don't forget that the numbers we are using are for the end users. so detecting that a video with a set of the userbase disliked the video and the delta is /way/ off could be detected.

Your data is always way off. This plugin only has no more than two million users at Chrome extension store. Billions of people are watching youtube everyday, according to the Internet. Your delta is 99.9%. It's your projection and the real dislike that you want to match. Currently linear extrapolation is being used (or at least claimed), and it's pretty accurate. All I want to do (and I need to do) is to show your projection is off, and this can be done by providing massive fabricated creator data.

Once this extension catches up its momentum, you can no longer keep anything away from automation, meaning you can't do authentication on Discord. Then you will need routines and algorithms that costs money and time. Is it a FOSS project can achieve?

— Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAnarios%2Freturn-youtube-dislike%2Fissues%2F392%23issuecomment-1003427697&data=04%7C01%7C%7C3cd5fc0756b044eab2d908d9cc874c7d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637765703739871274%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Y6zRnC2HoxqTZeK6jihf4LsMqC1%2BxHx6%2FwRF1hPzs%2Fw%3D&reserved=0, or unsubscribehttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAB52VYC7M3R26I4WXMK7UPDUTXVQJANCNFSM5LBFCCCQ&data=04%7C01%7C%7C3cd5fc0756b044eab2d908d9cc874c7d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637765703739881231%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=tTF7qm8JPbH2LqzvpVBIafJHjKCBGpQ3Oi5wo6y6GWg%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7C%7C3cd5fc0756b044eab2d908d9cc874c7d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637765703739881231%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5i6oF6iDBMdABzWU7Sa1TTzIxIZvSuMhmI7JIFBdN4g%3D&reserved=0 or Androidhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7C%7C3cd5fc0756b044eab2d908d9cc874c7d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637765703739891188%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=LNGiILeuTa66XR1tgWDtuMjMTvm4V%2FGzc0xTPXTIk9Y%3D&reserved=0. You are receiving this because you are subscribed to this thread.Message ID: @.***>

SyntaxBlitz commented 2 years ago

Currently OAuth gives you access to a lot of data of business interest other than dislike count, but at least it's manageable and there may be a solution

In the Discord we discussed a way to let creators fetch from the API (using code on their own computer, meaning they don't have to trust RYD with the scope) in a way that's (mostly) verifiable, so that creators can't spoof their counts. link here

cyrildtm commented 2 years ago

@coldcanuk yeah and this pet project is no fun any more-

coldcanuk commented 2 years ago

Well the c&d is expected but not a real thing ... Your extension is telling ppl what it's doing and your knowingly submitting your data. That data is transformed and thus property.

Suppose YT can complain to the chromium team ..... You can justify billing creators assuming you are delivering more than a repackaged pie chart.

IMHO Ryd is onto something. I think that something is worth it. What is that "it" and how do you go from pet project to billable product ? These are big questions .....

Get Outlook for Androidhttps://aka.ms/AAb9ysg

From: Yvon Cui @.> Sent: Friday, December 31, 2021 1:25:09 PM To: Anarios/return-youtube-dislike @.> Cc: coldcanuk @.>; Mention @.> Subject: Re: [Anarios/return-youtube-dislike] Creator dislike submission (Issue #392)

@coldcanukhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoldcanuk&data=04%7C01%7C%7C58ab85ad9d8442df1f7008d9cc8ae10d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637765719120559359%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=15jCB4%2FjXNNt2h0bvov1UXrqIsd4jUGVA4e%2BJxFHVNo%3D&reserved=0 yeah and this pet project is no fun any more-

— Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAnarios%2Freturn-youtube-dislike%2Fissues%2F392%23issuecomment-1003431730&data=04%7C01%7C%7C58ab85ad9d8442df1f7008d9cc8ae10d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637765719120579274%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=M67WUFu61jN5%2BqjqRv4U8qedyxeotKZZ%2BqBtm7fVDwI%3D&reserved=0, or unsubscribehttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAB52VYAA26EVPZFJC2ICH2LUTXYQLANCNFSM5LBFCCCQ&data=04%7C01%7C%7C58ab85ad9d8442df1f7008d9cc8ae10d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637765719120589230%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8vPxU%2Fg60IGXK16UnBIQ53iStijbC1SnrQSdgcQd%2Fow%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7C%7C58ab85ad9d8442df1f7008d9cc8ae10d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637765719120589230%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9q6uJtAnDoYxRUJEHywKPMEMrvkOPH5ujulj2fFzdEE%3D&reserved=0 or Androidhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7C%7C58ab85ad9d8442df1f7008d9cc8ae10d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637765719120599186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=x76tR6UloHqeeVWcdDo75932MTE3iyZ8g%2BQTTNjE%2BWY%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.***>

cyrildtm commented 2 years ago

IMHO Ryd is onto something. I think that something is worth it. What is that "it" and how do you go from pet project to billable product ? These are big questions .....

I can try to answer, it's basically a reinvention of PageRank, and the whole reason is Google said they're not gonna do it anymore two months ago.

Well the c&d is expected but not a real thing ... Your extension is telling ppl what it's doing

Not any more if Github gets a C&D.

You can justify billing creators assuming you are delivering more than a repackaged pie chart.

As a casual person who learns from the street, I am aware of PR companies offering consultant services on how to improve your channel.

hrichiksite commented 2 years ago

Wow, many people (even including me), had a similar idea but as @Anarios said, https://github.com/Anarios/return-youtube-dislike/issues/396#issuecomment-1003646970

Depending on creators to give the dislike count is not that viable as they have other work to do and also some bad actors can just self MiTM themselves to fool the system. I think OAuth is the only way that is 1) fully true 2) verifiable 3) official 4) better than doing something client-side as no one much likes to install stuff also this ain't even solving Linus's problem as he said in the video, the extension can still take other stuff. Solving that issue which Linus shared is not possible, so he has to trust what's running on the server. My try on this problem is this https://github.com/OpenDislikeAPI/Code, an API (which I plan to give unlimited access to RYD for the good) that would just get the details from youtube and cache it so other's don't have to :) It would still need creators to sign in with Google to connect the accounts.

cyrildtm commented 2 years ago

@hrichiksite I looked at your project statement, and it sounds promising to be a compromised solution. I have a few questions;

I would really see Linus host a proxy API and archiving site with his own overkill Internet and storage facility (this may not be an overkill in such a time of zombie apocalypse after all) But this will be a cannon shell dropping on his feet.

hrichiksite commented 2 years ago

@cyrildtm Hi, I am answering your questions so you can understand better now:

1) Well, for that, there is no current method to prove it. All I can do is give a creator like Linus to audit my server as I said in https://github.com/Anarios/return-youtube-dislike/issues/401 's Trust part. 2) Redis is a key-value store database software that I will host on my server. You can read more about it here https://en.wikipedia.org/wiki/Redis 3) I said that for storing the dislike count in Redis, like a JSON object like 

{
  "dislikes": Number,
  "somethingElseIWouldNeedToStore": DataType
}

4) Cannon's shell dropping on his feet will cause it to break if was wearing socks and sandals. I had that thought too, make Linus host the code and everybody will have no doubt, but it's really a hassle to host and maintain code. Also, his vault is made for his videos, not this stuff anyways. Tho he can just make a server anytime.

Also, you can comment on this issue https://github.com/Anarios/return-youtube-dislike/issues/401 for keeping everything in place.

Have a good day :)

aryavsaigal commented 2 years ago

the extension can still take other stuff.

it's gonna be open source if we take this approach

TorutheRedFox commented 2 years ago

as for MITM attacks with studio.youtube.com, you can just add SSL certificate verification

cyrildtm commented 2 years ago

as for MITM attacks with studio.youtube.com, you can just add SSL certificate verification

Elaborate?

Besides, I can always MITM modify any verification process run locally. That's how paid software were hacked in the past.

TorutheRedFox commented 2 years ago

yeah you're right as for the cert verification, you can just verify that the certificate it's signed by is the one you expect it to be

KraXen72 commented 1 year ago

is there any progress on this? i'm aware it is a complex issue, but this has been first requested 2 years ago in 2021 and would be really useful, because atleast some transparent creators could make the youtube a better place by providing their real dislike count

ranazee commented 1 year ago

solve this issue