New Console Exploits

Problem description:
I’ve recently seen from @Sky that there are new console DB exploits

Expected behavior:
The database is deleted after running the repl (same as I’d wish the REPL_IDENTITY would be)

Actual behavior:
You should be unable to access the db outside of the repl, it’s always been one of the major problems, but @Sky says there is more than one way

Steps to reproduce:
Just run a repl, and do (ctrl c, ctrl d and do from replit import db)

Also, not completely related but:

I’ve checked the code and I can delete the REPLIT_DB_URL and run the database/ which gets the db, and that will be a None db, but if I get the db from replit (from replit import db ), it gives me a db, even though it just RAN THE SAME CODE

Bug appears at this link:


sorry for ping but @not-ethan I was told you know how this happens, and functionally won’t tell me their method… soooo I was wondering if you could :smiley:

1 Like

yeah, the exploit I found allows you to access the db outside of the repl and change / add any value you want.

but… HOW. HOW DO YOU ACCESS IT could you kindly explain further?



Yeah but can’t you just print the DB url and do that? That’s been an issue for ages

yea you could I suppose

I tried this out, the db URLs are different so that means everything is safe. The actual db url vs. the one derived from running from replit import db in the spotlight page are different.

yeah doesn’t it just create a new DB?

we’re talking about a game where your stats are stored (and can be edited) by using the DB

Yeah but I can still access the local db

1 Like

@IroncladDev ^^ I can still edit the db like this

Also, while you’re here, I’ll explain a bug with the DB or whatever it is, such as if you play a game that saves data via replit db. Your data is obviously saved, but only on that device; if you switch to another device, you’ll have to start over, even if you’re on the same account where the data was previously saved.

That’s because the DB is seperate for each repl. When you play someone elses repl (that’s not a webserver of some type) it makes sort of a proxy repl that is a copy, it’s not actually running the same repl, so the DB is different

sorry if I worded that terribly

So you’re saying that if I played a game like Hecker40’s Cookie Clicker in Python-Terminal and got, say, 1,000 cookies, it would be saved in the replit DB. But if I switch to a different device while still connected to the same account and game, will it reset my score and create a new DB?

I think it should be the same for accounts, but I don’t know

That is my problem; it forces me to reset all of my data even though I am still playing on the same account, which is kind of stupid (sorry if that is considered vulgar by @system).

The system does not detect if posts are vulgar or not. They are just the ones who sends the messages when a user manually flags

Maybe it is be device then? I always use the same device so never noticed it

btw lol, NaN means not a number. :nerd_face: