In theory, not going to install one

Scratch API is something that returns data in a “programmer-friendly” manner. Most data can be publicly accessed by humans but some data can only be accessed after authentication (such as messages). If an extension is installed on your browser, it can pass through the authentication process but even that might not contain sensitive data. Also, there are other ways an “evil” extension can cause harm. (ex: stealing data such as addresses)

Note: I am referring to the Scratch API

mybearworld wrote:

In theory, not going to install one

No, but it could hack you if it logged your cookies.

If you're logged in, it can do anything with your account.

Maximouse wrote:

If you're logged in, it can do anything with your account.

Yes, very true..

When you install an extension, you allow it to read and write data (using your login sessionID) to the following websites

• https://api.scratch.mit.edu
  
• https://scratch.mit.edu
  
• somethimes - https://clouddata.scratch.mit.edu
  

So, it can hack you right when you login - (if it is maliciously crafted with code that sends your login details to a remote server), no need of the API.

And no, it can't hack you with just the API as no private data is stored there. I have access to the API, yet I can't hack anyone - so a browser extension also cannot (if it only has access to the API)

Should I report to be moved to advanced topics?

one more thing to note, the chrome webstore/firefox addons thing both have somewhat okay protection against uploading malicious extensions.

however, hundreds of extensions get uploaded, and i doubt they check through everything. they just make sure an extension isn't blatantly doing bad things.

Jeffalo wrote:

one more thing to note, the chrome webstore/firefox addons thing both have somewhat okay protection against uploading malicious extensions.

Safari for macOS has recently introduced some extensions, and I suppose they are even more secure than Chrome's or Firefox's. But I doubt if it has any extension for Scratch.

Jeffalo wrote:

one more thing to note, the chrome webstore/firefox addons thing both have somewhat okay protection against uploading malicious extensions.

however, hundreds of extensions get uploaded, and i doubt they check through everything. they just make sure an extension isn't blatantly doing bad things.

Plus a lot of extensions are open source so it's not that hard to check out the code (****in theory) right?

I use (realizes im gonna get muted again if i say the name of the extension), and i only got it because the reviews are good, a lot of times a extenction with good review wont hack your account, but still be wherey.

Multiple ways, actually! XD



First off, the extension could remotely run client-side code to mess with accounts on various websites.

Second, extensions can have access to HTTP-Only cookies and can therefore steal your cookies and log in as you elsewhere.

Third, the extension could be a keylogger and basically act as spyware, monitoring everything you do online.

Fourth, the extension could potentially intercept requests and modify downloads to include viruses to gain RCE on your device.

Basically, be careful with extensions!



Though, literally, it would be possible for an extension to remotely send files to msfvenom to create a trojan that gains RCE, so that is not just made up. XD Though, if you find out it does that, you could be smart and hack them back using msfvenom vulnerabilities to shut down their RCE shell and also report the machine info to local authorities to catch the hackers. B) XD But it would be better to just avoid the malicious extensions entirely and not get hacked in the first place…



Technically, only the first two are API-accessing ones, but all of them are dangerous.