I've decided to report it as a bug to code.org since I realize the devastating potential of an exploit like this. For now, I shall wait until it is patched. Cry about it, but it's the responsible thing to do.

    2 months later

    Binary_Coder Nope, never happened, and yes it is less dangerous without public project publishing.

    Awards

    • â’¸ 0.1 from Varrience
      Comment: Still can delete your account though lulz

      The main issue with the vulnerability is that it allows projects to run scripts that can literally delete or edit projects in your account. I could make a project, that, when run, copies it's source code to all of your projects and then auto publishes them to the public gallery, propagating the worm across cdo wiping millions of projects.

      Awards

        a month later
        16 days later
        16 days later

        @[WUT] Adam lookie what I found.

        Awards

        • â’¸ 0.1 from Varrience
          Comment: what matters more is if you can actually update those credentials to make additional requests of which permissions like that are probably behind admin privlages
        L
        Last Chat :(
        See ya round, people.
        Aug 16, 2024
        T
        t43rew t34t3t45ret 45 e trsdyrt
        wt rtret
        Aug 14, 2024
        general
        Goodbye Gamelab Forum.
        Aug 12, 2024
        Not CDO chat
        yes
        Jul 25, 2024

        Chat

        Welcome to the Chat!

        Please select a channel or DM on the left.
        ;