I saw this tutorial that tells you how to get access to the admin panel by changing scratch.mit.edu/session but I don't know if it's allowed to have access to unauthorized tools.

Wow. I think that probably isn't allowed, but it depends on what it lets you do. Does it even work?

No, using hacks or unauthorized tools are not allowed. If you do so, your account will likely get deleted. Only the ST can use an “Admin Panel” or anything similar.

I think it's fine because it isn't possible to actually use any of the admin tools.

Maximouse wrote:

I think it's fine because it isn't possible to actually use any of the admin tools.

People might find ways to make the admin tools work though, so I believe this is in a (probably legal) grey area.

starlightsparker wrote:

I would assume the answer is obvious, but it seems that it is not.
As per 3.5 of the Terms of Use;

Terms of Use wrote:

3.5 You agree not to use Scratch in any way intended to disrupt the service, gain unauthorized access to the service, or interfere with any other user's ability to use the service.

The admin tools still don't work though, so it might be allowed, all you can do is click through menus.

A-MARIO-PLAYER wrote:

Maximouse wrote:

I think it's fine because it isn't possible to actually use any of the admin tools.

People might find ways to make the admin tools work though, so I believe this is in a (probably legal) grey area.

I mean, you can hack with just a laptop, so shall we ban laptop users?

GlitchedThrough wrote:

I mean, you can hack with just a laptop, so shall we ban laptop users?

You can hack with really any computer that has access to the internet, even a smart fridge, so we should ban Scratch completely!!

A-MARIO-PLAYER wrote:

GlitchedThrough wrote:

I mean, you can hack with just a laptop, so shall we ban laptop users?

You can hack with really any computer that has access to the internet, even a smart fridge, so we should ban Scratch completely!!

This is a joke post, and not really helping (sorry no disrespect)
To answer the question, trying anything to purposefully mess with the Scratch system is not allowed.

TheAutocorrectingCat wrote:

A-MARIO-PLAYER wrote:

GlitchedThrough wrote:

I mean, you can hack with just a laptop, so shall we ban laptop users?

You can hack with really any computer that has access to the internet, even a smart fridge, so we should ban Scratch completely!!

This is a joke post, and not really helping (sorry no disrespect)
To answer the question, trying anything to purposefully mess with the Scratch system is not allowed.

the post is just adding to the other post, forming the point

anyway
i believe the tutorial basically said that you would use an api mockig tool to make it so that the page /session says you are admin
to be clear: this just shows the admin panel but it literally cannot load any private admin info that real admins can see or give you access to tools such as updating projects, etc.
you're basically just showing the admin panel on your end, but practically this does nothing for the actual scratch servers
the code of the admin panel is on the github repository, so you can also just copy paste the html + css + js from it to your page using inspect element, and you're achieving the same result

why wouldn't this be allowed?
sure, if you do find a way to *gain unauthorized access to the service*, meaning actually getting access to admin tools such as modifying projects, then you are required to notify the Scratch Team. otherwise, you're breaking the terms of use

As someone who did this (and that you may be talking about), I want to reiterate that you CANNOT access sensitive information with this. To actually view the report queue and such, you need to be connected to the VPN (a private VPN hosted by the ST). Using browser dev tools is not hacking.

Edit: If I did find a vulnerability, the first and only thing I would do would be notifying them privately.

blubby4 wrote:

As someone who did this (and that you may be talking about), I want to reiterate that you CANNOT access sensitive information with this. To actually view the report queue and such, you need to be connected to the VPN (a private VPN hosted by the ST). Using browser dev tools is not hacking.

not only be connected to the vpn, but I'm pretty sure you also need the auth token of a scratch account with the admin flag set to true (meaning you have an asterisk to your username)

Let's put it this way - the ST doesn't publicly say it's okay, but there's nothing stopping you and no one will ever know. There's no harm you can cause, so I don't see why you can't.

Where did you find the tutorial?

skibidislicers_ wrote:

I don't think that tutorial will work anyway, it might be a scam.

Having tested it in the past (it was a while ago, don't ask how I did it specifically- I don't remember- but what others have said above sounds right), I can confirm that this works.

skibidislicers_ wrote:

And, in general, hacking is not allowed at all on the site.

It's not hacking if it's not hacking. This is done by essentially tricking the servers at first, but you have to disable some verification stuff on the client side (your browser, running Scratch), to make it last more than a fraction of a second. It's not hacking if it's just messing around with a sandboxed (any change you make does not affect the original- like what happens when you click “see inside” on someone else's Scratch project) environment.

If you were to truly gain admin access without actually being an admin, the best thing you can do is to contact the ST via Contact Us and tell them exactly how you got in. That way, they can hopefully fix it. If you don't do this, you would be breaking the Terms of Use and could (and probably would) get permanently IP banned.

skibidislicers_ wrote:

Someone just broke the page with unsupported characters -_-

And it's fixed now. I think I figured out who it was though lol

skibidislicers_ wrote:

(#19)
They would definitely take legal action

why would they do that

skibidislicers_ wrote:

BigNate469 wrote:

If you were to truly gain admin access without actually being an admin, the best thing you can do is to contact the ST via Contact Us and tell them exactly how you got in. That way, they can hopefully fix it. If you don't do this, you would be breaking the Terms of Use and could (and probably would) get permanently IP banned.

They would definitely take legal action, but let's not get off-topic.

If you told them how you did it (and didn't do any damage), and privately told them about it, then why would they take legal action? You let them know about a major security vulnerability in a way that lets no one else exploit it. If anything they would be thanking you.

If you didn't tell them about it and used it to your own gain, then they could sue you.

skibidislicers_ wrote:

(#22)

breakfast_for_dinner wrote:

why would they do that

Because hacking is illegal, if you don't report it to the ST. If someone were to do that, it would most likely be costly, and if they won the case (which they would), they would get compensation for it.

but this isn't hacking??? and hacking isn't neccessarily illegal, it's what you do after hacking

han614698 wrote:

skibidislicers_ wrote:

(#22)

breakfast_for_dinner wrote:

why would they do that

Because hacking is illegal, if you don't report it to the ST. If someone were to do that, it would most likely be costly, and if they won the case (which they would), they would get compensation for it.

but this isn't hacking??? and hacking isn't neccessarily illegal, it's what you do after hacking

True.

There is something called “white-hat hacking”, where someone hacks into something intentionally and then tells the creator how they got in. It's actually a very effective method of finding security vulnerabilities, to the point where Google has an entire team (the Google Red Team) dedicated to hacking Google products.