"Login with Facebook" is a security vulnerability

I’m aware that this has been posted before. That’s part of the problem. It’s completely unacceptable that a completely invisible and unrestricted way to get into a user’s account, no matter what has been brought up and ignored.

There is no way to see Facebook accounts that are linked to your ROBLOX account.

“Login with Facebook” does not trigger 2FA.

There is no way to remove a Facebook from your ROBLOX account.

If somebody ever breaches your account, you might as well just quit. If they attach a Facebook to your account, they can get back in whenever they want. Unquestioned. They don’t need to know your password. They don’t need to have access to your email to get the 2FA. They can just sit back and relax, wait for you to use up your one-time item restoration, and take all your stuff right back.

@MajorTom4321 - the CS team needs to be made aware of this as well. The one-time item restoration is completely nullified by this. My friend trick555 was keylogged in the past and they slapped a Facebook account onto his ROBLOX account. He didn’t know that. Because he couldn’t have known that. He got his items back from CS via one-time restoration. He lost them all again and had no idea how until I recalled the Facebook vulnerability. He’s lost all of his items, thousands of USD, because of something that was no longer his fault.

When CS is assisting with an account breach, they need to be able to see if there are any Facebook accounts linked to the ROBLOX account and they need to be able to sever that link. Otherwise, don’t waste your time with an item restoration.

The solutions to this are plentiful:

• Get rid of the feature.
• Make 2FA apply, at the very least, to logins via Facebook
• LET US SEE AND REMOVE FACEBOOK LINKS

Seriously. This is an exploit. It’s an account security vulnerability. And it’s been ignored. It’s cost my friend, and many more, thousands of dollars and several years’ worth of work, not to mention their accounts themselves.

Please, end this BS. And if you could, destroy the Facebook link with Trick555’s ROBLOX account and give him his stuff back. Totally not his fault the second time around, regardless of it being his fault the link is there in the first place. It’s ROBLOX’s responsibility to protect users from this exact thing, and instead he’s being told “oh yeah um don’t give out your password :-)”

/rant

This is terrifying

This is terrif-

dangit berezza

Yeah, why wouldn’t something like this be in account settings?

According to Becky it already happens:

That didn’t happen in his case, then. As far as Trick555 and I know, this is exactly what’s happening and now CS is ignoring him.

If they didn’t remove the link when he was first compromised, I think they owe him another item restoration.

Honestly, do we even need this feature anymore? It sounds like the risks of supporting this far outweigh any potential benefits from having it.

So if you manage to get into somebody’s account once, you can theoretically get in forever?

Yeah that’s not right. A simple unlink button should do the trick?

Nor should it count as a strike towards the “one-time restoration.”

In honesty, “Login with Facebook” is an outdated method of logging in. I’m sure if you took a poll of who actually uses this as a primary method of logging in, the majority wouldn’t.

If the feature isn’t being used, perhaps it needs to be removed completely.

Problem with that is completely shutting out users who do use it.
It would be ideal to just let us see these links and end them. And also force 2FA on them.

I’d say just seeing that there is a link, not being able to see to which account, in case you get compromised they shouldn’t be able to trace to your facebook account.

Also wouldn’t it be a problem for some (security-ignorant) people if you can end the facebook link through the ROBLOX website? What if you are always logging in through that (bad idea, but they might be), and a hacker deletes the link?

Apparently it was possible to disconnect it in the past, but that’s been removed for a long time now:

I was gonna say “it’s probably nice for getting new users signed up without a hassle” but then I realized they don’t even have the Facebook sign in button on the main page anymore, nor on the mobile app.

With such lack of support, it definitely seems like this shouldn’t even be a feature anymore. They should stop allowing new Facebook link-ups and eventually ween people off of using this login method altogether (and of course, there needs to be an on-site button to disconnect the Facebook account). I don’t know what the best way of doing that would be, but maintaining this feature doesn’t seem worthwhile for ROBLOX at all and just creates more security risks.

Which is worse: the ability to log in forever or the ability to lock you out of your account? Being able to log into your account forever, naturally. And locking you out of your account can already be done by resetting your password, so unlinking facebook as an account thief wouldn’t be anything new.

As for privacy, it could show a partial name similar to what it does for email, and still give you the option to unlink.

I am using the Facebook login, but that’s because i’m lazy xD
But i also have two way factory installed on facebook, so people can’t gain acess to my account.

But a way to remove the facebook isn’t a good idea, unless you make it restricted to e-mail verification.
As once my account was comprimazed back in 2011 i think.
I didn’t have my password, but i could get into my account using facebook.
And that’s how i got my account back.

So having a second way to get into the account again, is a good thing.

Yet i remember making a post about facebook back into 2013, but people ignored it

I’m saying that it should just show that there is a link, so that you can contact customer support to get it deleted if you didn’t put it there. The ability to lock you out of your account seems worse because you can have a facebook link without having an email address verified AFAIK. (Imagine if someone who only logs in via facebook forgets their roblox password without verified email, and then deletes the facebook link (or a hacker does this). Yes you can say that sucks for them, they should have known better, but not everyone thinks these things through)

That seems fine.

ROBLOX can start requiring a verified email to log in with FB

Fair enough. I’d settle for being able to see if there is a link and if so to who or what and force 2FA.

I completely understand that you are concerned for and care about your friend. However, before ranting, it’s good to ask and understand all the information. I looked at your friend’s account and there’s no indication that an attached Facebook account was how your friend was most recently compromised again. As someone has already noted, it is already part of our protocol when to look for a FB connection on a compromised account and remove it when the account is reported and confirmed as compromised.

Now, if this was something that CS had missed, and someone was compromised again because of that, CS would restore them again. However, this is not what happened here. Although I won’t go into all the details, your friend noted to us in his email that he has a likely idea of how his account was compromised and it was not initially through ROBLOX.

Separately, we’ll make sure engineering is aware of this concern with FB accounts being attached and ensure that it triggers 2SV or otherwise examine the feature to make sure it’s not a risk. But again, that is not what occurred in the case of your friend.

Thanks, I’ll make sure he knows that a Facebook link is not the cause and that he needs to assess his security again. I walked him through checking email sign-in sessions and there was nothing unusual there, so I’ll ask him more about the circumstances regarding his account being compromised. Thanks for the response and sorry if I came off as hostile. My complaints about the feature itself still stand, though. Thanks for ensuring that engineering will be made aware, as well.