hi. this is Vivien, formerly at b25bomber, and I've been hearing a lot of people asking about the hackers. on DBD yesterday, a user started spamming the comments claiming to be 'exposing' DBD managers. out of a mix of anger/curiosity, I clicked the link and followed the instructions to see inside the project. a black box appeared at the top of my screen saying that I had been hacked and that they had all my data. I totally freaked out, logged out of my account, and deleted the account. I did some research and decided it might have been a scare tactic and signed back in. but my profile bio/wiwo was altered, clearly showing that I had indeed been hacked and they had my password. so, once again, I FREAKED out and deleted it again. after doing some actual research, this is what I was told: If you open a project containing a malicious SVG and then open the costume editor, an attacker could potentially execute JavaScript code to take actions on your account, such as posting comments or deleting projects. Arbitrary Code Execution (ACE): In the most severe cases, particularly with the Scratch Desktop app, it could theoretically allow someone to install malware or ransomware on your computer. Your Email: Your email is generally not "stolen" just by viewing a page. However, if the malicious code successfully executes, an attacker could potentially access sensitive account data or redirect you to a fake login (phishing) page designed to trick you into entering your credentials. In DBD, in the desc, a manager had added this: Scratch projects have a massive security issue. SVGs (the file type of Costumes / BackDrops) can be exploited for Arbitrary Code Execution, which can hack your account, download malware, collect your email, redirect you to unsafe offsites, and cause other issues. Scratchteam has not yet resolved this issue. In the meantime, do not click links provided on Scratch, offsite or not. So, I would recommend NOT seeing inside ANY projects other than your own for the time being. This is a major security issue that will hopefully be resolved soon. Do not click any links off-site EVER, and exhibit extreme care with Scratch links. If you know that someone has been hacked, DO NOT- I repeat, DO NOT visit that person's profile or any projects shared by that profile. if that account has been hacked, in the most severe cases hackers can install the same coding into hacked projects to hack even more users. i'm not sharing this to scare anyone. scratch is generally a safe website. but you need to exhibit caution. if someone starts spamming, don't click the link or visit the user's profile, just report and ignore. stay safe out there, my friends.
This is VERY REAL. I'm not trying to traumatize anyone, but you NEED TO BE CAREFUL. These are made to scare people and steal their personal data including emails and any information entered in your profile or account settings.