Discuss Scratch
- Discussion Forums
- » Bugs and Glitches
- » the API bug that puts users at risk
- crabraveprogrammer
- Scratcher
100+ posts
the API bug that puts users at risk
Currently, if you try to load an unshared project, Scratch will refuse to load it. But the project itself is still stored unencrypted on the server. So, if you want to see an unshared project, go on to something like turbowarp, forphorus, llk.github.io/scratch-gui, etc. It is pointless to hide unshared projects, if a person really wanted too, the could get on to it.
Many users share sensitive data in unshared projects (probably) and it is way too easy to get on to an unshared project.
One way is too have the API take in the users password. If it doesn't match, PHP will refuse to send back the project, thereby making it almost impossible to hack on to an unshared project.
IF YOU HAVE SENSITIVE DATA IN AN UNSHARED PROJECT, you must manually delete all of the sprites. Just putting projects into the trash and emptying the trash doesn't actually do anything.
Many users share sensitive data in unshared projects (probably) and it is way too easy to get on to an unshared project.
One way is too have the API take in the users password. If it doesn't match, PHP will refuse to send back the project, thereby making it almost impossible to hack on to an unshared project.
IF YOU HAVE SENSITIVE DATA IN AN UNSHARED PROJECT, you must manually delete all of the sprites. Just putting projects into the trash and emptying the trash doesn't actually do anything.
I like pizza. Pizza is delicious. You must agree.
- mlcreater
- Scratcher
1000+ posts
the API bug that puts users at risk
This does not really put users at risk because most unshared projects have no sensitive data in them.
Even if a project did, nobody could find it because there are 530 000 000 projects to look through
Even if a project did, nobody could find it because there are 530 000 000 projects to look through
← there are 3 sig figs and 0 kumquats
- crabraveprogrammer
- Scratcher
100+ posts
the API bug that puts users at risk
This does not really put users at risk because most unshared projects have no sensitive data in them.
Even if a project did, nobody could find it because there are 530 000 000 projects to look through
Auctually, one user has an unshared project that contains data on how to hack Appel, and that user got hacked some time ago. If there is a way to get a list of ALL projects by a user, then Appel could be in danger…..
I like pizza. Pizza is delicious. You must agree.
- mlcreater
- Scratcher
1000+ posts
the API bug that puts users at risk
There is not a list of all projects by a user.This does not really put users at risk because most unshared projects have no sensitive data in them.
Even if a project did, nobody could find it because there are 530 000 000 projects to look through
Auctually, one user has an unshared project that contains data on how to hack Appel, and that user got hacked some time ago. If there is a way to get a list of ALL projects by a user, then Appel could be in danger…..
What would it mean to “hack” Appel or any other Scratch project?
← there are 3 sig figs and 0 kumquats
- crabraveprogrammer
- Scratcher
100+ posts
the API bug that puts users at risk
also how do you know there is not a list of projects by a user?There is not a list of all projects by a user.This does not really put users at risk because most unshared projects have no sensitive data in them.
Even if a project did, nobody could find it because there are 530 000 000 projects to look through
Auctually, one user has an unshared project that contains data on how to hack Appel, and that user got hacked some time ago. If there is a way to get a list of ALL projects by a user, then Appel could be in danger…..
What would it mean to “hack” Appel or any other Scratch project?
when i say “hack”, i mean to change the cloud data (auctually, thats pretty easy to do, another bug in the API)
I like pizza. Pizza is delicious. You must agree.
- D-ScratchNinja
- Scratcher
1000+ posts
the API bug that puts users at risk
It might be related to the fact that some of the limits are part of the site, not the API, making it possible to hack Cloud Variables or see unshared projects, but the site is sure not to let that happen, so casual users will experience these limits. If they apply those limits to the API, it wouldn't be as easy to get around them.
Here's a demo, this is what it would be like if the site limited viewing unshared projects:
Here's another demo, this is what it would be like if another site was viewing unshared projects:
And if the API limited viewing unshared projects…
Here's a demo, this is what it would be like if the site limited viewing unshared projects:
when page opened :: events hat
if <project is shared ? :: operators> then
open project :: custom
else
error :: looks //Oops! It's unshared!
end
Here's another demo, this is what it would be like if another site was viewing unshared projects:
when page opened :: events hat
open project :: custom //Hey, API! Open it up!
define open project
//Woo-hoo, let's go!
continue :: grey
And if the API limited viewing unshared projects…
when page opened :: events hat
open project :: custom //Hey, API! Open it up!
define open project
//Oops, it's unshared!
if <project is shared ? :: operators> then
continue :: grey
else
error :: looks
end
Last edited by D-ScratchNinja (May 21, 2021 20:31:34)
D-ScratchNinja • he/him
- The following is my signature, which always shows up below my posts. -
New! Filter through my projects with my website.
Need to fix an issue? Check out this studio for solutions to some common problems!
OS: Windows 11 / Browser: Microsoft Edge / Time zone: PST/PDT
- Chiroyce
- Scratcher
1000+ posts
the API bug that puts users at risk
Yes I do agree, but if you don't want to risk your privacy, simply don't give out your project ID.
IMO Scratch could do something like this
Same should be done for https://projects.scratch.mit.edu/488029945
IMO Scratch could do something like this
Client: GET /projects/488029945
Server: GET https://api.scratch.mit.edu/projects/488029945
if is_published == true
return project // If yes, send the project to the client ==>
else if sessionID matches project owner
return project
else
send 404
Same should be done for https://projects.scratch.mit.edu/488029945
April Fools' topics:
— New Buildings in Scratch's headquarters
— Give every Scratcher an M1 MacBook Air
— Scratch should let users edit other Scratchers' projects
— Make a statue for Jeffalo
— Scratch Tech Tips™
— Make a Chiroyce statue emoji
<img src=“x” onerror=“alert('XSS vulnerability discovered')”>
this is a test sentence
- crabraveprogrammer
- Scratcher
100+ posts
the API bug that puts users at risk
Actuaully you have to check the password, but luckily there is a perfectly secure way of sending passwords to the server (HTTPS encryption) Yes I do agree, but if you don't want to risk your privacy, simply don't give out your project ID.
IMO Scratch could do something like thisClient: GET /projects/488029945
Server: GET https://api.scratch.mit.edu/projects/488029945
if is_published == true
return project // If yes, send the project to the client ==>
else if sessionID matches project owner
return project
else
send 404
Same should be done for https://projects.scratch.mit.edu/488029945
Client: GET /projects/488029945/password/
Server: GET https://api.scratch.mit.edu/projects/488029945
if decryptedpassword == userpassword
return project // If yes, send the project to the client ==>
else if [roject is shared
return project
else
send 404
I like pizza. Pizza is delicious. You must agree.
- Chiroyce
- Scratcher
1000+ posts
the API bug that puts users at risk
C'mon dude, no one checks the password! It's always done with the sessionID cookie, and the server corresponding it with the data stored there, we only send passwords via https when we're signing in, no where else! Actuaully you have to check the password, but luckily there is a perfectly secure way of sending passwords to the server (HTTPS encryption)
also, how do you think someone is gonna use https encryption in a URL? it's only encrypted just before leaving the browser, so your browser history might save the un-encrypted password, which is a huge security risk.
How would that work? The sever if decryptedpassword == userpassword hashes the password and stores it, and you can't dehash a hashed value
example_password = "abcd1234"
hash(example_password) // server hashes the password after receiving it
server_stored_password = "e9cee71ab932fde863338d08be4de9dfe39ea049bdafb342ce659ec5450b69ae"
Last edited by Chiroyce (May 22, 2021 12:22:47)
April Fools' topics:
— New Buildings in Scratch's headquarters
— Give every Scratcher an M1 MacBook Air
— Scratch should let users edit other Scratchers' projects
— Make a statue for Jeffalo
— Scratch Tech Tips™
— Make a Chiroyce statue emoji
<img src=“x” onerror=“alert('XSS vulnerability discovered')”>
this is a test sentence
- crabraveprogrammer
- Scratcher
100+ posts
the API bug that puts users at risk
C'mon dude, no one checks the password! It's always done with the sessionID cookie, and the server corresponding it with the data stored there, we only send passwords via https when we're signing in, no where else! Actuaully you have to check the password, but luckily there is a perfectly secure way of sending passwords to the server (HTTPS encryption)
also, how do you think someone is gonna use https encryption in a URL? it's only encrypted just before leaving the browser, so your browser history might save the un-encrypted password, which is a huge security risk.How would that work? The sever if decryptedpassword == userpassword hashes the password and stores it, and you can't dehash a hashed valuethe above example used the sha256 hashing algorithm to hash.example_password = "abcd1234"
hash(example_password) // server hashes the password after receiving it
server_stored_password = "e9cee71ab932fde863338d08be4de9dfe39ea049bdafb342ce659ec5450b69ae"
Obviously you would encrypt the password when it is sent, then hash it to check if it matches.
I like pizza. Pizza is delicious. You must agree.
- Chiroyce
- Scratcher
1000+ posts
the API bug that puts users at risk
Yeah, but you can't encrypt it with the https protocol from Scratch itself, it's only encrypted by the browser via https. Obviously you would encrypt the password when it is sent, then hash it to check if it matches.
April Fools' topics:
— New Buildings in Scratch's headquarters
— Give every Scratcher an M1 MacBook Air
— Scratch should let users edit other Scratchers' projects
— Make a statue for Jeffalo
— Scratch Tech Tips™
— Make a Chiroyce statue emoji
<img src=“x” onerror=“alert('XSS vulnerability discovered')”>
this is a test sentence
- Barthdry
- Scratcher
500+ posts
the API bug that puts users at risk
It isn't a big problem without you sharing your project link if you don't want don't give but its possible through random number but it's rare
Topics to Check
List Of Scratch 3.0 Modifications | Ocular | Barthdry Itch | Scratch Full Mods/Beta 0.1x Archive | Solar Operating System |
- BarelySmooth
- Scratcher
1000+ posts
the API bug that puts users at risk
IF YOU HAVE SENSITIVE DATA IN AN UNSHARED PROJECT, you must manually delete all of the sprites. Just putting projects into the trash and emptying the trash doesn't actually do anything.If I am right, once an image is uploaded to scratch as a costume (and accessible via assets.scratch.mit.edu), it stays there forever.
Banner credit: @Prime689
(This text below is my forum signature)
Good suggestion. Let’s add that.no offense to ST btw – Credit to @Fun_Cupcake_i81 for the above portion of the signature
Also, Nobody supports the support convention
404. That's an error.
The requested signature was not found under this post.
That's all we want you to know.
- D-ScratchNinja
- Scratcher
1000+ posts
the API bug that puts users at risk
You know what, I'm wondering if they didn't set it up in a way that you couldn't view unshared projects with the API because in Scratch 1 there was no unshared state, you would share projects from the desktop program and not edit online. When they updated to the next major version of Scratch, they may not have added a feature to the API that actually hides unshared projects because they didn't need to before. Just a theory.
Last edited by D-ScratchNinja (May 23, 2021 22:59:32)
D-ScratchNinja • he/him
- The following is my signature, which always shows up below my posts. -
New! Filter through my projects with my website.
Need to fix an issue? Check out this studio for solutions to some common problems!
OS: Windows 11 / Browser: Microsoft Edge / Time zone: PST/PDT
- mlcreater
- Scratcher
1000+ posts
the API bug that puts users at risk
I think they allowed the API to access unshared projects because at preview. and beta.scratch.mit.edu there were options to view an existing project in the new 3.0 editor, and Scratch wanted people to be able to view any of their projects. You know what, I'm wondering if they didn't set it up in a way that you couldn't view unshared projects with the API because in Scratch 1 there was no unshared state, you would share projects from the desktop program and not edit online. When they updated to the next major version of Scratch, they may not have added a feature to the API that actually hides unshared projects because they didn't need to before. Just a theory.
← there are 3 sig figs and 0 kumquats
- kccuber
- Scratcher
1000+ posts
the API bug that puts users at risk
well rip, because appel did get it's clouddata hacked into. Auctually, one user has an unshared project that contains data on how to hack Appel, and that user got hacked some time ago. If there is a way to get a list of ALL projects by a user, then Appel could be in danger…..
I don't think you should be storing PERSONAL INFO of all things in a scratch project because the ST might check your projects if you get banned or something.
- PikachuB2005
- Scratcher
100+ posts
the API bug that puts users at risk
This would also mean sites like Currently, if you try to load an unshared project, Scratch will refuse to load it. But the project itself is still stored unencrypted on the server. So, if you want to see an unshared project, go on to something like turbowarp, forphorus, llk.github.io/scratch-gui, etc. It is pointless to hide unshared projects, if a person really wanted too, the could get on to it. scratchdb by @DatOneLefty would need to remove information about unshared projects as well.
Many users share sensitive data in unshared projects (probably) and it is way too easy to get on to an unshared project.
One way is too have the API take in the users password. If it doesn't match, PHP will refuse to send back the project, thereby making it almost impossible to hack on to an unshared project.
IF YOU HAVE SENSITIVE DATA IN AN UNSHARED PROJECT, you must manually delete all of the sprites. Just putting projects into the trash and emptying the trash doesn't actually do anything.
Working on a scratch to pygame converter!
- Chiroyce
- Scratcher
1000+ posts
the API bug that puts users at risk
ScratchDB doesn't index the contents of any project, it just indexes the loves, views, and remix counts.
April Fools' topics:
— New Buildings in Scratch's headquarters
— Give every Scratcher an M1 MacBook Air
— Scratch should let users edit other Scratchers' projects
— Make a statue for Jeffalo
— Scratch Tech Tips™
— Make a Chiroyce statue emoji
<img src=“x” onerror=“alert('XSS vulnerability discovered')”>
this is a test sentence
- crabraveprogrammer
- Scratcher
100+ posts
the API bug that puts users at risk
It dowesnt seem like it is that big of a problem, so i am closing the discussion.
I like pizza. Pizza is delicious. You must agree.
- Discussion Forums
- » Bugs and Glitches
- » the API bug that puts users at risk