since the exploit seems to be patched (as far as i know), i don't think there's any harm in explaining how i got the yo account.
simply, i used burpsuite to create a scratch account. when i got to the last step, the part where you enter your email, i intercepted the post request that sends the account data. i modified the username by adding "%0A" (which is the url encoded form of a newline character) to the end of it, then forwarded the request.
after that, the site got stuck loading forever, but when i went back to the scratch homepage, i was logged in. it seems scratch was very confused by me having a newline in my username, because the site kinda broke. my name didn't appear in the header, and i couldn't even view projects.
to comment on a project using that account, i had to do some weird workaround. i first logged into my main account and opened the project i wanted to comment on. then, in a separate tab, i logged out and logged back into the "yo" account. after that, i returned to the original tab, and commented through there.
eventually, scratch did try to fix it by removing the newline automatically. however, because of that, people could now register legitimate 2c usernames, and even usernames with inappropriate words. i managed to grab "pi" but they caught on and deleted it pretty quickly.
pi
(@pi)
How did you get the @yo account on scratch?
since the exploit seems to be patched (as far as i know), i don't think there's any harm in explaining how i got the yo account.
simply, i used burpsuite to create a scratch account. when i got to the last step, the part where you enter your email, i intercepted the post request that sends the account data. i modified the username by adding "%0A" (which is the url encoded form of a newline character) to the end of it, then forwarded the request.
after that, the site got stuck loading forever, but when i went back to the scratch homepage, i was logged in. it seems scratch was very confused by me having a newline in my username, because the site kinda broke. my name didn't appear in the header, and i couldn't even view projects.
to comment on a project using that account, i had to do some weird workaround. i first logged into my main account and opened the project i wanted to comment on. then, in a separate tab, i logged out and logged back into the "yo" account. after that, i returned to the original tab, and commented through there.
eventually, scratch did try to fix it by removing the newline automatically. however, because of that, people could now register legitimate 2c usernames, and even usernames with inappropriate words. i managed to grab "pi" but they caught on and deleted it pretty quickly.