[WUT] Adam Now, here is the problem, it gives you TOTAL access to all of the inspect console from within a gamelab project. You can execute scripts on the behalf of anyone running the project. I can create a project which when run will replace your projects with copies of that project and publish them. Do you understand the security issue this presents?

      A proper demonstration of it's power.

      EDIT: Removed video since it don't work

      Awards

      • â’¸ 1 from ackvonhuelio
        Comment: ☹
      • â’¸ 10 from MonsterYT_DaGamer
        Comment: The video doesn't work, but don't worry. Just give it to me and I'll help with dat B)

        I've decided to report it as a bug to code.org since I realize the devastating potential of an exploit like this. For now, I shall wait until it is patched. Cry about it, but it's the responsible thing to do.

          2 months later

          Binary_Coder Nope, never happened, and yes it is less dangerous without public project publishing.

          Awards

          • â’¸ 0.1 from Varrience
            Comment: Still can delete your account though lulz

            The main issue with the vulnerability is that it allows projects to run scripts that can literally delete or edit projects in your account. I could make a project, that, when run, copies it's source code to all of your projects and then auto publishes them to the public gallery, propagating the worm across cdo wiping millions of projects.

            Awards

              a month later

              Chat