This was reported to Mr. Beast’s team on August 15, 2022 immediately after this was posted.
Also – Big Thank You to CaliD – couldn’t have done it without ya.
Background
Mr. Beast is a man who needs no introduction; he is most known for his videos which show him giving away a lot of money, and he is one of a very very select few who have hit 100,000,000 subscribers on YouTube. In celebration of hitting this 100M milestone, his merchandise shop (www.shopmrbeast.com) sold special shirts and he had a give away where you could unlock different items by ‘slapping’ Mr. Beast’s face.
Slap-To-Win
The giveaway was ‘Slap-to-win’ – if you ‘slapped’ (clicked) the face a certain number of times, you could unlock different items. The ‘grand’ prize was if you clicked 20,000 times, you could unlock a hat (that would ship with the purchase one of the special shirts). Other prizes you could unlock included stickers, lanyard, and keyring if you clicked 500, 2,000, and 5,000 times respectively.
After actually clicking 20,000 times to get my free hat, I wondered if it would be possible to game the system. Was there a limit on how high you could actually click?
Local Storage
In Chrome, if you right click and ‘inspect’, there’s a menu called Application. In here, you can find the locally stored variables. You can see in the above photo, you can see the variable ‘mr-beast-slapper-face-selected’. This selects the ‘face’ which you slap. See the selection menu here:
Hash’n’Salt
My first step was to look into how the number is stored.
1 = “U2FsdGVkX19rgaUdun86lNM=”
2 = “U2FsdGVkX18oneybblCfyWQ=”
3 = “U2FsdGVkX1+dBh6eq5NE45Y=”
Each of them start with the same set of characters “U2FsdGVkX1” – which in base64 is “Salted__”. The only information this provides is that it was likely encrypted using OpenSSL, which unfortunately is a bit of a dead end. If anyone knows another way to figure out the encryption algorithm, I’d love to hear about it!
What I next noticed is that you could replace the hash with any of the previous ones – so if you saved “U2FsdGVkX1+dBh6eq5NE45Y=” in the local storage variable, it will always show ‘3’ slaps next time the page is refreshed.
Unfortunately this means I can only insert numbers I already knew the hash for…
Gathering More Intel
First, I started with a known value:
67 = “U2FsdGVkX18fUr/ONk3C/9Oj”
By clicking on the Object.decrypt, it led us to the encrypt and decrypt functions.
Next step was adding a breakpoint on line 319.
Counting to 100,000,000
On the right, you can set variables, and we noticed that variable ‘e’ was our slapper score. With my limited understanding – it takes the value in the local storage, decrypts it, updates the slapper score, and then encrypts it again. By updating the value halfway through this process, it allowed us a small window to slap Mr. Beast as many times as we wish.
So I changed the value from 11, to 100,000,000, refreshed the page, and….
And this is how I slapped Mr. Beast one time for every subscriber he has! Many congratulations to Mr. Beast for hitting this incredible milestone!
How High?
And… just for fun….
Well – after putting in some stupidly big numbers, I was curious how high it actually went.
Once you get high enough, it goes into scientific notation..
If you put in “1e+309”, it says “Infinity” and actually changes the variable to infinity.