Note Warning: This article is only intended to give examples, and educate users about hacking. Please do not attempt anything in this article, as it could lead to alerts or a ban.

Hacking in computer science terminology is tampering of another individual or company's (or one's own) software, computers, or databases. However, on Internet terminology is when a user finds out one's password in any manner and uses it to get onto their account. Typically, when they are on the account they cause problems; such as deleting projects and doing inappropriate behavior in order to get the account banned. There are many types of hacking that range from trying random combinations of characters to tricking a user into telling their password.


Main article: Phishing

Sometimes users trick other users into giving their private information away (such as a password) — this is called phishing.[1]


UserA is on Scratch and they made a project which links to a website which requests the visitor's Scratch password for followers. UserB is new and does not know much about hacking and gives away their Scratch password to UserA.



Main article: kaj
See also: List of Misconceptions about Scratch#kaj

There have been rumors that kaj once hacked or stole another account. kaj is sometimes used to symbolize hacking. People have also made fake accounts claiming to be kaj; such accounts get banned.[citation needed] However, kaj never hacked or stole accounts; he only claimed to destroy Scratch due to wanting more views.

"Hacking" Projects

Main article: JSON Tutorial

Some users refer to modifying the JSON code of a project as "hacking", however, it is not hacking as discussed in this article. This is simply editing a project without using the online or offline editors.

The term is more correct when modifying the JSON in order to implement features never possible in the normal editor, such as placing variables inside of dropdowns.

The Scratch Team partially discourages doing so because it could confuse new users.[2]

SQL Injection

Note Note: Since the Scratch Website and all Scratch-related projects "sanitizes database queries" (meaning that SQL commands are not run when entered into the database), this should not work on any of them.

SQL injection is undoubtedly the most common method individuals use for hacking website databases. A database on a web server is an organized unit of storage, typically in table-based format. The database software that a web server runs is entirely separate from the software the server and server-side code interpretation run on (such as PHP or Python). SQL database programs use codes to manage the databases, meaning reading from table cells, writing data to table cells, etc.

All SQL programs use similar syntax to one another. An example of a command from MySQL, a common database software, is as follows:

INSERT INTO table VALUES('GenericScratcher','password',0);

The above code is a command that would insert a new column into the table by the name "table" with the specified values. Since three values were specified and separated by commas, this means the table has three columns to it. The first value goes into the leftmost column, and the right goes into the rightmost column. These commands can be executed within the terminal or command line interface of an operating system.

There come many times when the SQL command cannot be directly executed because the command is not being interpreted by the SQL program. For instance, PHP, a server-side scripting language, cannot execute SQL commands because it is not programmed to do so, but it can transfer over the commands to a SQL program to be executed by it. This is where the vulnerability comes into action.

When a server-side language sends a command to a SQL program, the command must be formatted as a string or sequence of computer characters. Very often, user entries on websites will be placed within a SQL command. For instance, a website may have two input boxes for logging in, "username" and "password". An example of PHP code that would pass on the username and password values to a database to be analyzed would be as follows:

    $username = $_REQUEST['username']; //stores username input into a variable
    $password = $_REQUEST['password'];
    $query = "SELECT * WHERE username ='$username' and password ='$password';"; //command to be sent to database

Notice that single quotation marks surround both the username and password inputs of the end user. If the end user entered "test" for the username and "password" for the password, the query would appear as follows:

SELECT * WHERE username ='test' and password ='password';

When this command is sent to the database, it can analyze if there are any columns of its table with that username and password match. If there are not any rows, more code can be used to decide where to go from there. Anyways, suppose an individual puts single quotes into the actual input. This would cancel out the previous single quote, and the user can enter any malicious command that will be sent to the SQL server to be executed. For example, if the user types "test" as the username and "' or '1'='1;" as the password, the user will automatically log on as that user without actually knowing the user's password. The query, in this case, would be:

SELECT * WHERE username ='test' and password ='' or '1'='1';

The password will pass because of the "or" logic, and could provide an end user with easy access to the user's settings and privileges. This only poses a risk when the command has to be transferred to the SQL program from another program in string format. Concatenation of strings works perfectly when placing the string's outer character into the inside unless the outputted string will be passed to a SQL program because strings within have to be sent in their assignment format/state to the SQL program.

This vulnerability can be fixed in various ways. For one thing, preventing the usage of certain quotes by checking user inputs for them could prevent injection. This may not be the best because quotes are often used in normal sentences and such. Quotes can be turned into HTML entities that will be rendered as quotes even though the true HTML text is not a quote itself. One can also make use of prepared statements in a server-side language to prevent injection.

What to Do if One is Hacked

If in the rare[citation needed] case that an account is hacked, the Scratcher in question should use the Contact Us link in the footer of the website. They then should get in contact with the Scratch Team and tell them what had happened, and the Scratch Team will do their best to keep the hacked account safe. When sending a message, the following should be included:

  • The username of the hacked account
  • The user who hacked the account (if known and fully certain)
  • Ways the Scratch Team can contact the owner of the hacked account
  • If the password has already been changed (if possible)
  • Any other information the Scratch Team needs to know

If the user with the hacked account can still log in, it is advisable to change the password so the account is no longer accessible to the hacker.

In severe cases, notify the local law enforcement.

See Also


  1. Lightnin. (13/9/2012). "Some people create websites / software just to steal passwords - this is called “Phishing”."
  2. Lightnin. (4/2/2013). "[When anyone who doesn't know what you've done (or how you've done it) tries to view your project, they won't be able to understand your scripts" post:10418