Xbox Gamepass Exploit

Nikilis · June 28, 2016, 4:59pm

Solved by jmargh, thank you.

Velibor · June 28, 2016, 5:13pm

So instead of being linked to your account they are linked to your Xbox Gamertag ?

berezaa · June 28, 2016, 5:18pm

If you linked your Xbox account to your ROBLOX one, wouldn’t they have the same userId?

Velibor · June 28, 2016, 5:22pm

I would assume so, but that seems to be the case in this report… I would also assume that they are linked to the ROBLOX account and not the Xbox one.

berezaa · June 28, 2016, 5:24pm

Oh I think he means buy a gamepass, link it to an Xbox account, then unlink and create a new ROBLOX account with Xbox? If it works, that’s a pretty big issue

jmargh · June 28, 2016, 5:40pm

I was unable to repro this, are there any additional details you can give?

Here were my steps…

Join a place with a game pass with gamertag linked to roblox account 1
Buy the gamepass
Leave the game
Go to the settings screen
Select the account option
Unlink roblox account 1 from the gametag
Get past engagement screen
Select the option to Sign Up Using gamertag (this creates a new roblox account)
Create a new roblox account (upon creation it is linked)
Play the same game from step 1
PlayerOwnsAsset returns false

This was done in a test place I made.

To answer the questions about linking…the userId will be the userId of whatever Roblox account is currently linked. The only thing that changes is the Player.Name property. We have to identify the user by their gamertag. So if a users gamertag is called MyGamerTag, their name in-game will always be MyGamerTag no matter what Roblox account they are linked to.

Nikilis · June 28, 2016, 6:02pm

Here is a report I received:

And I also got a Twitter DM about it where he said he could keep making new accounts to do it.

Also I understand how the userId linking works but PlayerOwnsAsset used their Player model, not ID

jmargh · June 28, 2016, 9:02pm

OK, so I was able to repro it your game, but still couldn’t repro it in the place I made. However, the repro has a catch.

So I noticed that the 2nd Roblox account (who did not buy the elite game pass) sometimes got elite status and sometimes didn’t. So what I did was document what servers the account with the gamepass connected to. Then on the 2nd account did the same. Servers in which account 1 connected to, account 2 to got the elite status in the players list. Servers account 1 did not connect to, account 2 did not get the elite status.

So this seems like a caching issue. Are you doing any caching on the server and if so, do you store these by the users name? If the script is using the player.Name this will cause a problem since the player.Name will be their Xbox gamertag, not their Roblox account name.

mothmage · June 28, 2019, 9:06pm

system · October 25, 2022, 8:28pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.