|Warning:||This article is only intended to give examples and educate users about hacking. Please do not attempt anything in this article, as it could lead to alerts or a ban.|
Hacking in computer science terminology is tampering of another individual or company's (or one's own) software, computers, or databases. Scratch currently has no history of any hacking in this context.
However, its mainstream use on Scratch usually refers to when a Scratcher's account information (i.e. their username and password) is obtained by a "hacker" and gains unauthorised access to that account. This can become problematic, as the hacker can delete projects and do inappropriate behavior to get the account banned. Such instances are often easily prevented.
|Note:||The term hacking from here on will refer to the methods used to exploit account information.|
- Main article: Phishing
Sometimes others trick users into giving their private information away (such as a password) — this is called phishing.
UserA is on Scratch and they made a project which links to a website which requests the visitor's Scratch password for followers. UserB is new and does not know much about hacking and gives away their Scratch password to UserA. UserA can use this information to gain unauthorized access to UserB's account.
Although hacking is used as a broad term, there are often cases of alleged hacking that aren't considered so:
- Main article: kaj
- See also: List of Misconceptions about Scratch#kaj
There have been rumors that kaj once hacked or stole another account. kaj is sometimes used to symbolize hacking. People have also made fake accounts claiming to be kaj; such accounts get banned. However, kaj never hacked or stole accounts; he only claimed to destroy Scratch due to wanting more views.
- Main article: JSON Tutorial
Some users refer to modifying the JSON code of a project as "hacking", however, it is not a method of exploiting personal information. This is editing a project without using the online or offline editors.
In this context, hacking refers to unauthorized modifications made to the Scratch code — modifying the JSON in order to implement features never possible in the normal editor, such as placing variables inside of dropdowns.
The Scratch Team partially discourages doing so because it could confuse new users.
Leaving Accounts Logged In
A common mistake users make is to accidentally leave their Scratch account logged in on a public computer, such as in a school or library computer. Other people will then find that there is an account logged in and use it inappropriately, resulting in a ban. While this often is dubbed as "hacking", such an instance is generally not considered so since it is easily preventable by the user.
Stealing account information requires exploiting passwords and other information through an encrypted database. This would be considered hacking.
|Note:||Since the Scratch Website and all Scratch-related projects "sanitizes database queries" (meaning that SQL commands are not run when entered into the database), this should not work on any of them.|
SQL injection is undoubtedly the most common method individuals use for hacking website databases. A database on a web server is an organized unit of storage, typically in table-based format. The database software that a web server runs is entirely separate from the software the server and server-side code interpretation run on (such as PHP or Python). SQL database programs use codes to manage the databases, meaning reading from table cells, writing data to table cells, etc.
All SQL programs use similar syntax to one another. An example of a command from MySQL, a common database software, is as follows:
INSERT INTO table VALUES('GenericScratcher','password',0);
The above code is a command that would insert a new column into the table by the name "table" with the specified values. Since three values were specified and separated by commas, this means the table has three columns to it. The first value goes into the leftmost column, and the right goes into the rightmost column. These commands can be executed within the terminal or command line interface of an operating system.
There come many times when the SQL command cannot be directly executed because the command is not being interpreted by the SQL program. For instance, PHP, a server-side scripting language, cannot execute SQL commands because it is not programmed to do so, but it can transfer over the commands to a SQL program to be executed by it. This is where the vulnerability comes into action.
When a server-side language sends a command to a SQL program, the command must be formatted as a string or sequence of computer characters. Very often, user entries on websites will be placed within a SQL command. For instance, a website may have two input boxes for logging in, "username" and "password". An example of PHP code that would pass on the username and password values to a database to be analyzed would be as follows:
<?php $username = $_REQUEST['username']; //stores username input into a variable $password = $_REQUEST['password']; $query = "SELECT * WHERE username ='$username' and password ='$password';"; //command to be sent to database ?>
Notice that single quotation marks surround both the username and password inputs of the end user. If the end user entered "test" for the username and "password" for the password, the query would appear as follows:
SELECT * WHERE username ='test' and password ='password';
When this command is sent to the database, it can analyze if there are any columns of its table with that username and password match. If there are not any rows, more code can be used to decide where to go from there. Anyways, suppose an individual puts single quotes into the actual input. This would cancel out the previous single quote, and the user can enter any malicious command that will be sent to the SQL server to be executed. For example, if the user types "test" as the username and "' or '1'='1;" as the password, the user will automatically log on as that user without actually knowing the user's password. The query, in this case, would be:
SELECT * WHERE username ='test' and password ='' or '1'='1';
The password will pass because of the "or" logic, and could provide an end user with easy access to the user's settings and privileges. This only poses a risk when the command has to be transferred to the SQL program from another program in string format. Concatenation of strings works perfectly when placing the string's outer character into the inside unless the outputted string will be passed to a SQL program because strings within have to be sent in their assignment format/state to the SQL program.
This vulnerability can be fixed in various ways. For one thing, preventing the usage of certain quotes by checking user inputs for them could prevent injection. This may not be the best because quotes are often used in normal sentences and such. Quotes can be turned into HTML entities that will be rendered as quotes even though the true HTML text is not a quote itself. One can also make use of prepared statements in a server-side language to prevent injection.
What to do if an account is hacked
If in the case that an account is hacked, the Scratcher in question should use the Contact Us link in the footer of the website. They then should get in contact with the Scratch Team and tell them what has happened, and the Scratch Team will do their best to keep the hacked account safe. When sending a message, the following should be included:
- The username of the hacked account
- The user who hacked the account (if known and fully certain)
- Ways the Scratch Team can contact the owner of the hacked account
- If the password has already been changed (if possible)
- Any other information the Scratch Team needs to know
If the user with the hacked account can still log in, it is advisable to change the password so the account is no longer accessible to the hacker.
In severe cases, notify the local law enforcement.
Account Security Tips
While some hacking cases are not preventable by the user themselves, there are different measures you can take to make sure accounts stays protected:
- Log out of an account after finishing using the website, especially if the device being used is a public or shared computer.
- Use a strong password, and do not share it with anyone else. For tips on how to create a strong password, see Password#Ways to Make a Strong Password. Make sure that the password is not too long, but not too short. Do not make passwords easy to guess, such as setting it "password", the username or even a birthday. Change passwords every few months for maximum protection. Write down passwords and keep it in a safe place to prevent getting logged out
- Be careful when entering sensitive information on the site. If something sounds too good to be true, it probably is. Scratch will never ask for your username or password, unless logging in or deleting a project.
- If a user trying to hack an account is found, report it to the Scratch Team immediately.
- Link a parent or guardian's email address to an account if it is being used by a user under 16. This can help retrieving a hacked account more easily and if the password needs to be changed, it can be done with a linked email
- Lightnin. (13/9/2012). "Some people create websites / software just to steal passwords - this is called “Phishing”." projects:2778121
- Lightnin. (4/2/2013). "[When anyone who doesn't know what you've done (or how you've done it) tries to view your project, they won't be able to understand your scripts" post:10418