I recently found out how to modify another users cloud variable projects. Others would call it hacking, its technically a glitch with the loading.
This glitch was preformed (I think) by a user named coinman. For all we know, he/she did this. The glitches steps will NOT be mentioned.
As this can be used for a bad cause. But i successfully completed my quest figuring it out:

I also managed to reset the variable with the same method. Soon the Scratch Team will be receiving the message I sent them. If you have another method you have found to work, please mention below and contact the Scratch Team.
Hopefully they get to this exploit soon. Or I will try to find a way to prevent multiple voting.

It is kind of well known that Cloud Variables are insecure. And if you think about it from a design and programmer standpoint, there are few ways which you can fix it. There are actually tools out there designed for modifying cloud variables from outside of Scratch (who has them will not be mentioned here either, I'll just say I don't have a variant ). It's all under the “honor” code and trust. However, if you have a problem, you can go back to Scratch 1.4 and create your own “cloud” server for “truer” security (like what I kind of am doing) with the Remote Sensor Connections.

It is impossible to make cloud variables secure without actually run the scratch project on the server, something the the ST cannot afford to do.

MathWizz wrote:

It is impossible to make cloud variables secure without actually run the scratch project on the server, something the the ST cannot afford to do.

Well, I upheld what I said I would do, a spam detector. It does slow down the rate of spamming, pretty good actually. But I'm working on a kink where it deletes my list. Probably a script flaw. But I can't be sure. If you wish to help, click the link in my signature.

MathWizz wrote:

It is impossible to make cloud variables secure without actually run the scratch project on the server

I don't believe this. Modern digital cryptography can solve these problems. You digitally sign the project that uses the variable with your password (all on your own computer), the Scratch server records the signature, etc. (I'm not an expert so I have no idea how it works in detail. But it's doable.)

EDIT: Whether this is worthwhile is a different question. There's a lot to be said for deliberate insecurity as a community-building mechanism, sort of like schools with honor codes and no faculty proctoring of exams.

bharvey wrote:

MathWizz wrote:

It is impossible to make cloud variables secure without actually run the scratch project on the server

I don't believe this. Modern digital cryptography can solve these problems. You digitally sign the project that uses the variable with your password (all on your own computer), the Scratch server records the signature, etc. (I'm not an expert so I have no idea how it works in detail. But it's doable.)

But how do you distinguish between signed requests from people using the actual project and signed requests from people using the project but sending different update packets?

Well, you could have a passcode in the compiled project editor which is not visible to anyone. When you open-source the editor, you replace the password with a comment explaining the situation.

Hardmath123 wrote:

Well, you could have a passcode in the compiled project editor which is not visible to anyone. When you open-source the editor, you replace the password with a comment explaining the situation.

Decompilers, much?

bobbybee wrote:

Hardmath123 wrote:

Well, you could have a passcode in the compiled project editor which is not visible to anyone. When you open-source the editor, you replace the password with a comment explaining the situation.

Decompilers, much?

Yeah, that (a passcode, not a decompiler ) wouldn't help.

We've known about this in AT for a little while now… The same thing happened during the alpha with cloud lists. luckily, at that point there were only about 300-400 active users.
As MathWhizz said it's impossible to do this unless it is run on the server. They could certainly make it harder for non-programmers to be able to do this but in the end it will always be possible to send your own data(As I proved with mymaths, an online homework service used in the UK). If scratch wasn't programmed in flash(easily decompilable) it could be made a lot harder to change cloud variables outside of scratch.

Encrypt It Like An Unshared Project

Wow… This is dangerous. If anyone finds out, and they abuse it, people may find themselves with their cloud variables are being messed up by that one person. I hope nobody finds out about this. (I don't know how to do it, just saying)

This topic is really old - please check the date of the last post before adding a new post. You may be “necroposting” - bringing a topic back to life that is no longer relevant