the API bug that puts users at risk

crabraveprogrammer

Currently, if you try to load an unshared project, Scratch will refuse to load it. But the project itself is still stored unencrypted on the server. So, if you want to see an unshared project, go on to something like turbowarp, forphorus, llk.github.io/scratch-gui, etc. It is pointless to hide unshared projects, if a person really wanted too, the could get on to it.

Many users share sensitive data in unshared projects (probably) and it is way too easy to get on to an unshared project.

One way is too have the API take in the users password. If it doesn't match, PHP will refuse to send back the project, thereby making it almost impossible to hack on to an unshared project.

IF YOU HAVE SENSITIVE DATA IN AN UNSHARED PROJECT, you must manually delete all of the sprites. Just putting projects into the trash and emptying the trash doesn't actually do anything.

I like pizza. Pizza is delicious. You must agree.

mlcreater

This does not really put users at risk because most unshared projects have no sensitive data in them.

Even if a project did, nobody could find it because there are 530 000 000 projects to look through

← there are 3 sig figs and 0 kumquats

crabraveprogrammer

mlcreater wrote:
This does not really put users at risk because most unshared projects have no sensitive data in them.

Even if a project did, nobody could find it because there are 530 000 000 projects to look through

Auctually, one user has an unshared project that contains data on how to hack Appel, and that user got hacked some time ago. If there is a way to get a list of ALL projects by a user, then Appel could be in danger…..

I like pizza. Pizza is delicious. You must agree.

mlcreater

crabraveprogrammer wrote:
mlcreater wrote:
This does not really put users at risk because most unshared projects have no sensitive data in them.

Even if a project did, nobody could find it because there are 530 000 000 projects to look through

Auctually, one user has an unshared project that contains data on how to hack Appel, and that user got hacked some time ago. If there is a way to get a list of ALL projects by a user, then Appel could be in danger…..

There is not a list of all projects by a user.

What would it mean to “hack” Appel or any other Scratch project?

← there are 3 sig figs and 0 kumquats

crabraveprogrammer

mlcreater wrote:
crabraveprogrammer wrote:
mlcreater wrote:
This does not really put users at risk because most unshared projects have no sensitive data in them.

Even if a project did, nobody could find it because there are 530 000 000 projects to look through

Auctually, one user has an unshared project that contains data on how to hack Appel, and that user got hacked some time ago. If there is a way to get a list of ALL projects by a user, then Appel could be in danger…..
There is not a list of all projects by a user.

What would it mean to “hack” Appel or any other Scratch project?

also how do you know there is not a list of projects by a user?
when i say “hack”, i mean to change the cloud data (auctually, thats pretty easy to do, another bug in the API)

I like pizza. Pizza is delicious. You must agree.

D-ScratchNinja

It might be related to the fact that some of the limits are part of the site, not the API, making it possible to hack Cloud Variables or see unshared projects, but the site is sure not to let that happen, so casual users will experience these limits. If they apply those limits to the API, it wouldn't be as easy to get around them.

Here's a demo, this is what it would be like if the site limited viewing unshared projects:

when page opened :: events hat
if <project is shared ? :: operators> then
open project :: custom 
else
error :: looks //Oops! It's unshared!
end

Here's another demo, this is what it would be like if another site was viewing unshared projects:

when page opened :: events hat
open project :: custom //Hey, API! Open it up!

define open project
//Woo-hoo, let's go!
continue :: grey

And if the API limited viewing unshared projects…

when page opened :: events hat
open project :: custom //Hey, API! Open it up!

define open project
//Oops, it's unshared!
if <project is shared ? :: operators> then
continue :: grey
else
error :: looks
end

Last edited by D-ScratchNinja (May 21, 2021 20:31:34)

D-ScratchNinja • he/him
- The following is my signature, which always shows up below my posts. -

New! Filter through my projects with my website.

Need to fix an issue? Check out this studio for solutions to some common problems!

OS: Windows 11 / Browser: Microsoft Edge / Time zone: PST/PDT

Chiroyce

Yes I do agree, but if you don't want to risk your privacy, simply don't give out your project ID.

IMO Scratch could do something like this

Client:      GET /projects/488029945

Server:     GET https://api.scratch.mit.edu/projects/488029945 

                if is_published == true
                    return project             // If yes, send the project to the client ==>
                else if sessionID matches project owner
                    return project             
                else
                    send 404

Same should be done for https://projects.scratch.mit.edu/488029945

April Fools' topics:

— New Buildings in Scratch's headquarters
— Give every Scratcher an M1 MacBook Air
— Scratch should let users edit other Scratchers' projects
— Make a statue for Jeffalo
— Scratch Tech Tips™
— Make a Chiroyce statue emoji

<img src=“x” onerror=“alert('XSS vulnerability discovered')”>

this is a test sentence

crabraveprogrammer

Chiroyce wrote:

Yes I do agree, but if you don't want to risk your privacy, simply don't give out your project ID.

IMO Scratch could do something like this

Client:      GET /projects/488029945

Server:     GET https://api.scratch.mit.edu/projects/488029945 

                if is_published == true
                    return project             // If yes, send the project to the client ==>
                else if sessionID matches project owner
                    return project             
                else
                    send 404

Same should be done for https://projects.scratch.mit.edu/488029945

Actuaully you have to check the password, but luckily there is a perfectly secure way of sending passwords to the server (HTTPS encryption)

Client: GET /projects/488029945/password/

Server: GET https://api.scratch.mit.edu/projects/488029945

if decryptedpassword == userpassword
return project // If yes, send the project to the client ==>
else if [roject is shared
return project
else
send 404

I like pizza. Pizza is delicious. You must agree.

Chiroyce

crabraveprogrammer wrote:
Actuaully you have to check the password, but luckily there is a perfectly secure way of sending passwords to the server (HTTPS encryption)

C'mon dude, no one checks the password! It's always done with the sessionID cookie, and the server corresponding it with the data stored there, we only send passwords via https when we're signing in, no where else!

also, how do you think someone is gonna use https encryption in a URL? it's only encrypted just before leaving the browser, so your browser history might save the un-encrypted password, which is a huge security risk.

crabraveprogrammer wrote:
if decryptedpassword == userpassword

How would that work? The sever hashes the password and stores it, and you can't dehash a hashed value

example_password = "abcd1234"
hash(example_password) // server hashes the password after receiving it
server_stored_password = "e9cee71ab932fde863338d08be4de9dfe39ea049bdafb342ce659ec5450b69ae"

the above example used the sha256 hashing algorithm to hash.

Last edited by Chiroyce (May 22, 2021 12:22:47)

April Fools' topics:

— New Buildings in Scratch's headquarters
— Give every Scratcher an M1 MacBook Air
— Scratch should let users edit other Scratchers' projects
— Make a statue for Jeffalo
— Scratch Tech Tips™
— Make a Chiroyce statue emoji

<img src=“x” onerror=“alert('XSS vulnerability discovered')”>

this is a test sentence

crabraveprogrammer

Chiroyce wrote:
crabraveprogrammer wrote:
Actuaully you have to check the password, but luckily there is a perfectly secure way of sending passwords to the server (HTTPS encryption)
C'mon dude, no one checks the password! It's always done with the sessionID cookie, and the server corresponding it with the data stored there, we only send passwords via https when we're signing in, no where else!

also, how do you think someone is gonna use https encryption in a URL? it's only encrypted just before leaving the browser, so your browser history might save the un-encrypted password, which is a huge security risk.

crabraveprogrammer wrote:
if decryptedpassword == userpassword
How would that work? The sever hashes the password and stores it, and you can't dehash a hashed value
example_password = "abcd1234"
hash(example_password) // server hashes the password after receiving it
server_stored_password = "e9cee71ab932fde863338d08be4de9dfe39ea049bdafb342ce659ec5450b69ae"
the above example used the sha256 hashing algorithm to hash.

Obviously you would encrypt the password when it is sent, then hash it to check if it matches.

I like pizza. Pizza is delicious. You must agree.

Chiroyce

crabraveprogrammer wrote:
Obviously you would encrypt the password when it is sent, then hash it to check if it matches.

Yeah, but you can't encrypt it with the https protocol from Scratch itself, it's only encrypted by the browser via https.

April Fools' topics:

— New Buildings in Scratch's headquarters
— Give every Scratcher an M1 MacBook Air
— Scratch should let users edit other Scratchers' projects
— Make a statue for Jeffalo
— Scratch Tech Tips™
— Make a Chiroyce statue emoji

<img src=“x” onerror=“alert('XSS vulnerability discovered')”>

this is a test sentence

Barthdry

It isn't a big problem without you sharing your project link if you don't want don't give but its possible through random number but it's rare

BarelySmooth

crabraveprogrammer wrote:
IF YOU HAVE SENSITIVE DATA IN AN UNSHARED PROJECT, you must manually delete all of the sprites. Just putting projects into the trash and emptying the trash doesn't actually do anything.

If I am right, once an image is uploaded to scratch as a costume (and accessible via assets.scratch.mit.edu), it stays there forever.

Banner credit: @Prime689

(This text below is my forum signature)

Scratch Team never wrote:
Good suggestion. Let’s add that.

no offense to ST btw – Credit to @Fun_Cupcake_i81 for the above portion of the signature

Also, Nobody supports the support convention

404. That's an error.

The requested signature was not found under this post.
That's all we want you to know.

D-ScratchNinja

You know what, I'm wondering if they didn't set it up in a way that you couldn't view unshared projects with the API because in Scratch 1 there was no unshared state, you would share projects from the desktop program and not edit online. When they updated to the next major version of Scratch, they may not have added a feature to the API that actually hides unshared projects because they didn't need to before. Just a theory.

Last edited by D-ScratchNinja (May 23, 2021 22:59:32)

D-ScratchNinja • he/him
- The following is my signature, which always shows up below my posts. -

New! Filter through my projects with my website.

Need to fix an issue? Check out this studio for solutions to some common problems!

OS: Windows 11 / Browser: Microsoft Edge / Time zone: PST/PDT

mlcreater

D-ScratchNinja wrote:
You know what, I'm wondering if they didn't set it up in a way that you couldn't view unshared projects with the API because in Scratch 1 there was no unshared state, you would share projects from the desktop program and not edit online. When they updated to the next major version of Scratch, they may not have added a feature to the API that actually hides unshared projects because they didn't need to before. Just a theory.

I think they allowed the API to access unshared projects because at preview. and beta.scratch.mit.edu there were options to view an existing project in the new 3.0 editor, and Scratch wanted people to be able to view any of their projects.

← there are 3 sig figs and 0 kumquats

kccuber

crabraveprogrammer wrote:
Auctually, one user has an unshared project that contains data on how to hack Appel, and that user got hacked some time ago. If there is a way to get a list of ALL projects by a user, then Appel could be in danger…..

well rip, because appel did get it's clouddata hacked into.

I don't think you should be storing PERSONAL INFO of all things in a scratch project because the ST might check your projects if you get banned or something.

Made using Nord Theme & Inkscape

PikachuB2005

crabraveprogrammer wrote:
Currently, if you try to load an unshared project, Scratch will refuse to load it. But the project itself is still stored unencrypted on the server. So, if you want to see an unshared project, go on to something like turbowarp, forphorus, llk.github.io/scratch-gui, etc. It is pointless to hide unshared projects, if a person really wanted too, the could get on to it.

Many users share sensitive data in unshared projects (probably) and it is way too easy to get on to an unshared project.

One way is too have the API take in the users password. If it doesn't match, PHP will refuse to send back the project, thereby making it almost impossible to hack on to an unshared project.

IF YOU HAVE SENSITIVE DATA IN AN UNSHARED PROJECT, you must manually delete all of the sprites. Just putting projects into the trash and emptying the trash doesn't actually do anything.

This would also mean sites like scratchdb by @DatOneLefty would need to remove information about unshared projects as well.

Working on a scratch to pygame converter!

Chiroyce

ScratchDB doesn't index the contents of any project, it just indexes the loves, views, and remix counts.

April Fools' topics:

— New Buildings in Scratch's headquarters
— Give every Scratcher an M1 MacBook Air
— Scratch should let users edit other Scratchers' projects
— Make a statue for Jeffalo
— Scratch Tech Tips™
— Make a Chiroyce statue emoji

<img src=“x” onerror=“alert('XSS vulnerability discovered')”>

this is a test sentence

crabraveprogrammer

It dowesnt seem like it is that big of a problem, so i am closing the discussion.

I like pizza. Pizza is delicious. You must agree.

Discuss Scratch