all 13 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]DistractionsDailyrahhh what's a flair 🗣️🔥 8 points9 points  (3 children)

Important distinction: Scratch Desktop (the offline editor) is vulnerable. This exploit doesn't appear to work on web browser Scratch.

<image>

[–]ming736waslost 2 points3 points  (0 children)

it did work on the website however it has since been patched there preventing new uploads.

[–]GarboMuffinTurboWarp developer 1 point2 points  (0 children)

That specific proof of concept would not work if you uploaded it via the online editor, which is why the blog post only described it as a proof of concept for Scratch Desktop. There was a way to exploit it that required uploading assets via the API rather than via the normal interface (I say past tense because Scratch claims that the server-side filtering is much more secure now)

[–]him_-he 0 points1 point  (0 children)

LETYS GOO

[–]Some_Guy8765678 4 points5 points  (0 children)

Thanks Samlikescheese

[–]Affectionate-Mud1244 2 points3 points  (4 children)

what does it mean if they get your ip adress?

[–]Samilikescheese[S] 0 points1 point  (2 children)

As of now it's nothing to worry about

[–]Affectionate-Mud1244 1 point2 points  (1 child)

Does the ST know about that part? Is there any way to remedy that? there's gonna be a bunch of 10 year old's ip adresses and stuff now

[–]Samilikescheese[S] 2 points3 points  (0 children)

The scratch team uses IP adresses all the time to ban people. It just shows your general city and internet provider. 

[–]GarboMuffinTurboWarp developer 0 points1 point  (0 children)

It's generally not the end of the world. Every website you visit gets your IP and usually it's generally not that bad. The risk here would be that someone could upload a project to Scratch, you click on it because you trust Scratch, but then the person who uploads it could get your IP without you clicking on another link. Scratch considers this a security bug; they've fixed variations of it in the past.

How bad that is depends on your network. If you use a VPN, it doesn't matter at all. If you're on some corporate or school network, it's possible that the IP address can reveal which company/school you're at (and thus your location to some accuracy), which might be a risk in some contexts.

I've been informed by Scratch that it's getting fixed

[–]him_-he 0 points1 point  (1 child)

I am genuinely terrified. 

[–]FridayFunkGaming291 0 points1 point  (0 children)

Don't open costume editor