Glitch console, everywhere

aboutdavid · September 19, 2020, 3:59pm

So, I was able to run the Glitch console, but not on Glitch’s website. I basically just took code from https://glitch.com/edit/console.html?---project-name---, then put it all in one

Code

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Glitch Console</title>
  <style>
    body {
      margin: 0;
      font-size: 0;
    }
    * {
      box-sizing: border-box;
    }
    iframe {
      height: 100vh;
      width: 100%;
      border: none;
    }
  </style>
  <script>
  var params = new URLSearchParams(document.location.search.substring(1));
  window.addEventListener("load", (e) => {
  try {
    const token = "" // Get this by going to glitch.com, and run this in your console: JSON.parse(localStorage.cachedUser).persistentToken
    const project = "" // Name of your project (duh)
    const url = `https://api.glitch.com/${project}/console/${token}/`

    const iframe = document.createElement("iframe")
    iframe.src = url
    document.body.appendChild(iframe)
    iframe.contentWindow.focus();
  } catch (e) {
    const pre = document.createElement("pre")
    pre.innerText = "You are not authorized to access the Glitch Console."
    document.body.appendChild(pre)
  }
})
  </script>
</head>
<body></body>
</html>

Example:

RiversideRocks · September 19, 2020, 4:12pm

Just be really really careful about making this public on the internet because

When someone has access to your token, they can use the console to edit any of your projects, public or private
If someone gets SSH to your site, its over.

khalby786 · September 19, 2020, 4:23pm

This part is what’s really scary.

17lwinn · September 19, 2020, 5:16pm

This is alright… Totally not dangerous at all…

aboutdavid · September 19, 2020, 5:42pm

I was just looking at the API, and found it.

youngchief_btw · September 19, 2020, 6:30pm

Imagine this scary idea: Someone gets access to loads of tokens, uses puppeteer to go to the page, emulate keyboard events, and does scary evil stuff to tons of projects and possible data deleting, etc.
There’s another way to do this which I don’t talk about for security reasons

aboutdavid · September 19, 2020, 8:56pm

Oof, all of this seems like a bad idea…
I’ll change this to a #feedback security issue.

(Thanks to @youngchief_btw, @17lwinn @RiversideRocks and @khalby786)

RiversideRocks · September 19, 2020, 8:57pm

I don’t really see why this is a security issue? Just don’t share this key. Simple as that.

aboutdavid · September 19, 2020, 9:02pm

Not the console part, the token part. On sites like Discord and Roblox, they print in the console to don’t paste anything there, or they could get access to their account.

So they could put in like “Hey, don’t put anything here!”

RiversideRocks · September 19, 2020, 9:15pm

Ok, I see what you are saying. I just sort of assume most people know not to paste code in the console on glitch as its a site for devs.

CarlyRaeJepsenStan · September 19, 2020, 9:45pm

Is this W3Schools editor?

aboutdavid · September 19, 2020, 9:51pm

Yes. I made it in notepad, then showcased it in the editor for a side by side view.

CarlyRaeJepsenStan · September 19, 2020, 10:35pm

Sounds like me lol, I always write my stuff in TextEdit and paste it into the Tryit Editor. Inline CSS and JS aren’t perfect, but they’re easy to move around.