Refresh and see inside By muffinink: In 2026, it was discovered that through clever use of very long transitions and forcing the browser to restyle all elements, an attacker can apply arbitrary styles to the full Scratch page that last until refresh. Most uses of this have been "fun" things, but here's a few ideas about more evil things you might be able to do: Hiding the report button. Making the like/favorite buttons cover the entire page, so that users are tricked into clicking them. Display text telling the user that they need to open a website in a new tab to "verify" their account (some phishing page). Users are likely to trust the instructions because the message is coming from the real scratch.mit.edu. Example project (not mine): https://scratch.mit.edu/projects/1299571218/ Source:
By fortyonegames
