Scratch API concerns

Hello there, forumers. Some of you might be aware of a recent influx of hackers on cloud projects, notably ones shared by the popular Scratcher “griffpatch”. If you don't, then here is a simplified explanation for you. People have been using Scratch's cloud API to change cloud data on popular projects and games. This allows them to change the position of their avatar, create bots, or even change their display names to racial slurs and swears. Some people have even speculated that Scratch Team shut down the cloud system last year due to this issue, and although it hasn't been proven, it remains likely. Since they turned back on the cloud a few months ago, these users have been seen in several projects trying to exploit this vulnrability in the Scratch API to cause harm. In case you think this is “not supported with evidence”, let me reinforce it with several screenshots I made. (exploiters usernames are blurred, as to not cause any drama in the community) Image from cloud data logs. Image from actual game itself. Also, if you don't believe that, than Griffpatch himself had to put a statement in the update logs for one of his projects about the hackers.

How you can fix this:
The (probable) hackers seen in the cloud logs are banned accounts, and still are accessing the API. Even if they are not exploiting, they are still banned accounts nonetheless. The first thing you should do to fix this problem is to not let banned accounts use the API! You need to strengthen the security, and patch these vulnerabilities to stop this problem! You should also add more moderation around projects using the cloud feature, and maybe ban projects displaying usernames online. This way, people will not be able to see any potentially modified data, and potential swear words.

At the end of the day:
Fixing this issue is crucial. Stopping people from exploiting the API might not just save data from being exploited, but children from seeing harmful, and possibly 18+ content. This issue has been happening for years, and it needs to be addressed quickly. Thank you for listening, and sorry for being unprofessional. I am not a very good writer, and I just wanted to tell everybody about my concerns. Any comments and constructive criticism will be greatly appreciated.

Iamnotarobot124 wrote:

Scratch API concerns

Hello there, forumers. Some of you might be aware of a recent influx of hackers on cloud projects, notably ones shared by the popular Scratcher “griffpatch”. If you don't, then here is a simplified explanation for you. People have been using Scratch's cloud API to change cloud data on popular projects and games. This allows them to change the position of their avatar, create bots, or even change their display names to racial slurs and swears. Some people have even speculated that Scratch Team shut down the cloud system last year due to this issue, and although it hasn't been proven, it remains likely. Since they turned back on the cloud a few months ago, these users have been seen in several projects trying to exploit this vulnrability in the Scratch API to cause harm. In case you think this is “not supported with evidence”, let me reinforce it with several screenshots I made. (exploiters usernames are blurred, as to not cause any drama in the community) Image from cloud data logs. Image from actual game itself. Also, if you don't believe that, than Griffpatch himself had to put a statement in the update logs for one of his projects about the hackers.

How you can fix this:
The (probable) hackers seen in the cloud logs are banned accounts, and still are accessing the API. Even if they are not exploiting, they are still banned accounts nonetheless. The first thing you should do to fix this problem is to not let banned accounts use the API! You need to strengthen the security, and patch these vulnerabilities to stop this problem! You should also add more moderation around projects using the cloud feature, and maybe ban projects displaying usernames online. This way, people will not be able to see any potentially modified data, and potential swear words.

At the end of the day:
Fixing this issue is crucial. Stopping people from exploiting the API might not just save data from being exploited, but children from seeing harmful, and possibly 18+ content. This issue has been happening for years, and it needs to be addressed quickly. Thank you for listening, and sorry for being unprofessional. I am not a very good writer, and I just wanted to tell everybody about my concerns. Any comments and constructive criticism will be greatly appreciated.

you seem very professional. although perhaps add a profile link for griffpatch? (like make it clickable using the URL feature)

Litterbl0cks wrote:

Iamnotarobot124 wrote:

Scratch API concerns

Hello there, forumers. Some of you might be aware of a recent influx of hackers on cloud projects, notably ones shared by the popular Scratcher “griffpatch”. If you don't, then here is a simplified explanation for you. People have been using Scratch's cloud API to change cloud data on popular projects and games. This allows them to change the position of their avatar, create bots, or even change their display names to racial slurs and swears. Some people have even speculated that Scratch Team shut down the cloud system last year due to this issue, and although it hasn't been proven, it remains likely. Since they turned back on the cloud a few months ago, these users have been seen in several projects trying to exploit this vulnrability in the Scratch API to cause harm. In case you think this is “not supported with evidence”, let me reinforce it with several screenshots I made. (exploiters usernames are blurred, as to not cause any drama in the community) Image from cloud data logs. Image from actual game itself. Also, if you don't believe that, than Griffpatch himself had to put a statement in the update logs for one of his projects about the hackers.

How you can fix this:
The (probable) hackers seen in the cloud logs are banned accounts, and still are accessing the API. Even if they are not exploiting, they are still banned accounts nonetheless. The first thing you should do to fix this problem is to not let banned accounts use the API! You need to strengthen the security, and patch these vulnerabilities to stop this problem! You should also add more moderation around projects using the cloud feature, and maybe ban projects displaying usernames online. This way, people will not be able to see any potentially modified data, and potential swear words.

At the end of the day:
Fixing this issue is crucial. Stopping people from exploiting the API might not just save data from being exploited, but children from seeing harmful, and possibly 18+ content. This issue has been happening for years, and it needs to be addressed quickly. Thank you for listening, and sorry for being unprofessional. I am not a very good writer, and I just wanted to tell everybody about my concerns. Any comments and constructive criticism will be greatly appreciated.

you seem very professional. although perhaps add a profile link for griffpatch? (like make it clickable using the URL feature)

done!

A couple of thoughts:
1) Not allowing banned accounts to update cloud variables is, I agree, a good idea, but it wouldn’t fix the issue. People could just make a million new accounts with spoofed IP addresses, go on popular projects, and access the API with those. Im not really sure what the fix for this could be, maybe a “cloud updater” block that tells you the person who updated the cloud variable could be a good idea.

2) The ST does not have the capacity to monitor cloud projects closely. I’m pretty sure they don’t even have 30 moderators and, between looking at the forums, studios, and projects, they simply don’t have the time to sift through cloud logs.

ispretty wrote:

A couple of thoughts:
1) Not allowing banned accounts to update cloud variables is, I agree, a good idea, but it wouldn’t fix the issue. People could just make a million new accounts with spoofed IP addresses, go on popular projects, and access the API with those. Im not really sure what the fix for this could be, maybe a “cloud updater” block that tells you the person who updated the cloud variable could be a good idea.

2) The ST does not have the capacity to monitor cloud projects closely. I’m pretty sure they don’t even have 30 moderators and, between looking at the forums, studios, and projects, they simply don’t have the time to sift through cloud logs.

1) True, I thought of that. I included that because I wanted to clarify how messed up it was… also, creating new bot accounts is much more difficult than logging onto a pre-existing account.

2. I understand. What I meant with the whole username thing is to make it not allowed, just as free chat isn't allowed.

How about this: People will not be able to use the cloud API if the requests were not done through the scratch website itself
The API would have to look for some special key or parameter that only the scratch website would be able to generate. Without that thingy the API would reject that request
But then again some dumb hacker might find a way to make a cloud API request complete with that special key thing through other means

Iamnotarobot124 wrote:

Scratch API concerns

Hello there, forumers. Some of you might be aware of a recent influx of hackers on cloud projects, notably ones shared by the popular Scratcher “griffpatch”. If you don't, then here is a simplified explanation for you. People have been using Scratch's cloud API to change cloud data on popular projects and games. This allows them to change the position of their avatar, create bots, or even change their display names to racial slurs and swears. Some people have even speculated that Scratch Team shut down the cloud system last year due to this issue, and although it hasn't been proven, it remains likely. Since they turned back on the cloud a few months ago, these users have been seen in several projects trying to exploit this vulnrability in the Scratch API to cause harm. In case you think this is “not supported with evidence”, let me reinforce it with several screenshots I made. (exploiters usernames are blurred, as to not cause any drama in the community) Image from cloud data logs. Image from actual game itself. Also, if you don't believe that, than Griffpatch himself had to put a statement in the update logs for one of his projects about the hackers.

How you can fix this:
The (probable) hackers seen in the cloud logs are banned accounts, and still are accessing the API. Even if they are not exploiting, they are still banned accounts nonetheless. The first thing you should do to fix this problem is to not let banned accounts use the API! You need to strengthen the security, and patch these vulnerabilities to stop this problem! You should also add more moderation around projects using the cloud feature, and maybe ban projects displaying usernames online. This way, people will not be able to see any potentially modified data, and potential swear words.

At the end of the day:
Fixing this issue is crucial. Stopping people from exploiting the API might not just save data from being exploited, but children from seeing harmful, and possibly 18+ content. This issue has been happening for years, and it needs to be addressed quickly. Thank you for listening, and sorry for being unprofessional. I am not a very good writer, and I just wanted to tell everybody about my concerns. Any comments and constructive criticism will be greatly appreciated.

Literally every single griffpatch game right now that is multiplayer is completely hacked. I have heard of hackers in scratch games before but this is beyond anything I have seen at all. The game is unplayable.

I really hope the hackers stop soon

-AnythingCode- wrote:

Iamnotarobot124 wrote:

Scratch API concerns

Hello there, forumers. Some of you might be aware of a recent influx of hackers on cloud projects, notably ones shared by the popular Scratcher “griffpatch”. If you don't, then here is a simplified explanation for you. People have been using Scratch's cloud API to change cloud data on popular projects and games. This allows them to change the position of their avatar, create bots, or even change their display names to racial slurs and swears. Some people have even speculated that Scratch Team shut down the cloud system last year due to this issue, and although it hasn't been proven, it remains likely. Since they turned back on the cloud a few months ago, these users have been seen in several projects trying to exploit this vulnrability in the Scratch API to cause harm. In case you think this is “not supported with evidence”, let me reinforce it with several screenshots I made. (exploiters usernames are blurred, as to not cause any drama in the community) Image from cloud data logs. Image from actual game itself. Also, if you don't believe that, than Griffpatch himself had to put a statement in the update logs for one of his projects about the hackers.

How you can fix this:
The (probable) hackers seen in the cloud logs are banned accounts, and still are accessing the API. Even if they are not exploiting, they are still banned accounts nonetheless. The first thing you should do to fix this problem is to not let banned accounts use the API! You need to strengthen the security, and patch these vulnerabilities to stop this problem! You should also add more moderation around projects using the cloud feature, and maybe ban projects displaying usernames online. This way, people will not be able to see any potentially modified data, and potential swear words.

At the end of the day:
Fixing this issue is crucial. Stopping people from exploiting the API might not just save data from being exploited, but children from seeing harmful, and possibly 18+ content. This issue has been happening for years, and it needs to be addressed quickly. Thank you for listening, and sorry for being unprofessional. I am not a very good writer, and I just wanted to tell everybody about my concerns. Any comments and constructive criticism will be greatly appreciated.

Literally every single griffpatch game right now that is multiplayer is completely hacked. I have heard of hackers in scratch games before but this is beyond anything I have seen at all. The game is unplayable.

I really hope the hackers stop soon

Yeah it true.. I just went one and there were 200 players

Due to this issue, Griffpatch's MMO platformer has been shut down. In griffpatch's own words:

Griffpatch (in the project description) wrote:

Sorry - a small number of very persistent coders have made it their intention to ruin our cloud game fun, so for the time being I have had to take this offline. I hope the Scratch Team will take notice and block cloud hacking by any account that is already banned or a new scratcher! This would help no end.

Iamnotarobot124 wrote:

Due to this issue, Griffpatch's MMO platformer has been shut down. In griffpatch's own words:

Griffpatch (in the project description) wrote:

Sorry - a small number of very persistent coders have made it their intention to ruin our cloud game fun, so for the time being I have had to take this offline. I hope the Scratch Team will take notice and block cloud hacking by any account that is already banned or a new scratcher! This would help no end.

I think it is back

What about the games that require the api to work like Weather 2 that need it to run?

I agree. This is a huge problem. Even if they are not writing inappropriate things, this still ruins the fun.

24lov2 wrote:

What about the games that require the api to work like Weather 2 that need it to run?

They can make the API read-only for people who shouldn't have access