Custom project page colors/styles in ordinary scratch (plus more things)

atomicbryght

-S0dium- wrote:
haandatel wrote:
RealApplePieStudios wrote:
haandatel wrote:
let us all agree to never speak of this again
Speak of what? The thing were supposed to speak of in this chat, which is css?
it literally just caused a scratchwide hacking inccedent
wait what

look at this for more information

MuricanStonkEmpire

I think they have patched this I got my account back after getting canvased

STebBerry

MuricanStonkEmpire wrote:
I think they have patched this I got my account back after getting canvased

they did not patch it, my chatroom still has a style

TimothyLawyer

STebBerry wrote:
they did not patch it, my chatroom still has a style

i think they are referring to this

STebBerry

TimothyLawyer wrote:
STebBerry wrote:
they did not patch it, my chatroom still has a style
i think they are referring to this

if they were referring to that why would thyey post it in a topic not about that exploit? this topic is about custom project styles so i assumed thats what he was talking about

Its_me_ryan368

atomicbryght wrote:
-S0dium- wrote:
haandatel wrote:
RealApplePieStudios wrote:
haandatel wrote:
let us all agree to never speak of this again
Speak of what? The thing were supposed to speak of in this chat, which is css?
it literally just caused a scratchwide hacking inccedent
wait what
look at this for more information

This is bad…

RealApplePieStudios

Its_me_ryan368 wrote:
atomicbryght wrote:
-S0dium- wrote:
haandatel wrote:
RealApplePieStudios wrote:
haandatel wrote:
let us all agree to never speak of this again
Speak of what? The thing were supposed to speak of in this chat, which is css?
it literally just caused a scratchwide hacking inccedent
wait what
look at this for more information
This is bad…

its really really bad, but they are already trying to contain and eliminate it, so avoid suspicious projects and you should be fine

Spooky_Lukey

STebBerry wrote:
TimothyLawyer wrote:
STebBerry wrote:
they did not patch it, my chatroom still has a style
i think they are referring to this
if they were referring to that why would thyey post it in a topic not about that exploit? this topic is about custom project styles so i assumed thats what he was talking about

the title says “plus more things”

Last edited by Spooky_Lukey (May 5, 2026 14:34:57)

nembence

Spooky_Lukey wrote:
STebBerry wrote:
TimothyLawyer wrote:
STebBerry wrote:
they did not patch it, my chatroom still has a style
i think they are referring to this
if they were referring to that why would thyey post it in a topic not about that exploit? this topic is about custom project styles so i assumed thats what he was talking about
the title says “plus more things”

I think that refers to the CSS scrolling

This CSS thing is different from what the virus is using, this works as soon as the project loads but can't inject JavaScript (because it works in sanitized costumes), while the virus uses JavaScript and works only if you go to the costume editor (because it works by exploiting some code in the costume editor to inject an unsanitized costume into the page)

Last edited by nembence (May 5, 2026 14:48:52)

CST1229

haandatel wrote:
(#397)
RealApplePieStudios wrote:
haandatel wrote:
let us all agree to never speak of this again
Speak of what? The thing were supposed to speak of in this chat, which is css?
it literally just caused a scratchwide hacking inccedent

its not, it affects an unrelated part of scratch

(the css exploit is in scratch-svg-renderer, the xss exploit is in paper.js (what the costume editor uses))

Last edited by CST1229 (May 5, 2026 15:15:27)

STebBerry

CST1229 wrote:
haandatel wrote:
(#397)
RealApplePieStudios wrote:
haandatel wrote:
let us all agree to never speak of this again
Speak of what? The thing were supposed to speak of in this chat, which is css?
it literally just caused a scratchwide hacking inccedent
its not, it affects an unrelated part of scratch

(the css exploit is in scratch-svg-renderer, the xss exploit is in paper.js (what the costume editor uses))

exactly. people are making it seem like this exploit is hacking people too

OrangeCat747

I'm bored of this “customization”,Custom project page colors/styles in ordinary scratch, etc… PEOPLE ARE MAKING VIRUSES!!… pls ban .svg files from scratch, images are .png or .jpg NO MORE!

OrangeCat747

OrangeCat747 wrote:
I'm bored of this “customization”,Custom project page colors/styles in ordinary scratch, etc… PEOPLE ARE MAKING VIRUSES!!… pls ban .svg files from scratch, images are .png or .jpg NO MORE!

https://scratch.mit.edu/projects/1316167087

cheese2_

Viruses oh no

STebBerry

OrangeCat747 wrote:
I'm bored of this “customization”,Custom project page colors/styles in ordinary scratch, etc… PEOPLE ARE MAKING VIRUSES!!… pls ban .svg files from scratch, images are .png or .jpg NO MORE!

okay, did you not know that svg's are the ONLY way you can use vector in scratch? and it's not a virus, it's an exploit, and if you're talking about the thing people are using to hack accounts, that's a different bug from this. what scratch SHOULD do is just fix the sanitization. svg's are completely fine, and without svg's vector wouldn't exist. stop overreacting.

cheese2_

So it's not a virus it's a hack

Digitat321

haandatel wrote:
RealApplePieStudios wrote:
haandatel wrote:
let us all agree to never speak of this again
Speak of what? The thing were supposed to speak of in this chat, which is css?
it literally just caused a scratchwide hacking inccedent

i am pretty sure it was initially discovered in 2024 but has resurfaced again

STebBerry

OrangeCat747 wrote:
I'm bored of this “customization”,Custom project page colors/styles in ordinary scratch, etc… PEOPLE ARE MAKING VIRUSES!!… pls ban .svg files from scratch, images are .png or .jpg NO MORE!

AGAIN: okay, did you not know that svg's are the ONLY way you can use vector in scratch? and it's not a virus, it's an exploit, and if you're talking about the thing people are using to hack accounts, that's a different bug from this. what scratch SHOULD do is just fix the sanitization. svg's are completely fine, and without svg's vector wouldn't exist. stop overreacting.
edit: sorry if i sound rude, i was in a bad mood when i posted that

Last edited by STebBerry (May 5, 2026 18:23:30)

nembence

STebBerry wrote:
OrangeCat747 wrote:
I'm bored of this “customization”,Custom project page colors/styles in ordinary scratch, etc… PEOPLE ARE MAKING VIRUSES!!… pls ban .svg files from scratch, images are .png or .jpg NO MORE!
AGAIN: okay, did you not know that svg's are the ONLY way you can use vector in scratch? and it's not a virus, it's an exploit, and if you're talking about the thing people are using to hack accounts, that's a different bug from this. what scratch SHOULD do is just fix the sanitization. svg's are completely fine, and without svg's vector wouldn't exist. stop overreacting.

I think they should make sure that the costume editor uses the same sanitizer as the project player

whitnlan000

OrangeCat747 wrote:
OrangeCat747 wrote:
I'm bored of this “customization”,Custom project page colors/styles in ordinary scratch, etc… PEOPLE ARE MAKING VIRUSES!!… pls ban .svg files from scratch, images are .png or .jpg NO MORE!
https://scratch.mit.edu/projects/1316167087

This virus isn't really the same SVG tech. We are changing the SVG to edit the css of the page. They are making an SVG with seemingly random text, that could be injected to run JS.

Discuss Scratch