Account Security Issue

Alright, with the recent string of account thefts, I decided I should post an issue I’ve been aware of for a few years now.

If someone gets into your account, one of the first things they do is change the email address.

So ROBLOX then sends the old email a “Did you do this email”. They also send the new email a verification email.

Now how often do you check your email? Are you feeling lucky? Because at that point you have to beat the attacker to ROBLOX’s “Did you do this”, before they get to the verification email.

Because once they verify, that “Did you do this” email link no longer works.

I think the rest is self explanatory, but in case it’s not:

What the hell ROBLOX?

Edit: Please move to exploits and bug reports

4 Likes

Oh, so that’s what causes it to be invalidated. I thought it was they changed it to another email after they changed it the first time and used the email reset on the first email they changed it to, invalidating all revertemail emails.

Yeah, neither of those should happen. Those email links should always work for 24-72 hours no matter what they change your email to. I also recommend people connect their account to their primary email (or at least one that they check regularly) so that important emails don’t go unnoticed on some random email. An email notifier also works really well if you don’t like / have trouble remembering to check it manually.

1 Like

I just verified this since I did have to update my email address. So I know this is still an issue. Also, can I flag for this post to be moved?

Best thing to do is probably flag the OP as “something else” and asked for it to be moved

I’ve moved the thread, if you want it to be moved next time just put it in the header?

1 Like

Maybe, after changing the email, have a period of 24h before the email change actually gets… activated?
(Can’t think of the right word)

If you think of the normal user case, not the hacked account case, shouldn’t the user be able to verify their new email address right away? The majority of email changes are legit. We don’t want to add friction to a user doing normal account activities.

2 Step Verification is a better answer.

2 Step is fine and verifications happening immediately is fine, but emailrevert emails shouldn’t be invalidated just because another email is verified. And regarding normal users, you have to keep in mind that not everyone is going to want to use 2 step because it’s kind of annoying to have to prove you’re you, and they still need to be able to get their account back if someone gets into it. Being able to revert the email even if a new one was verified accomplishes that.

1 Like

No. There should never be more than one link out there that can revert the account. Think about the sequence in your scenario. What if the hacker changes the email twice and verifies both times? Now they have a valid revert link and the owner will also have a still active revert link. Who wins? When do the links get deactivated?

1 Like

They should expire after a certain amount of time (like the password reset links do) – 24-72 hours sounds good. The reset link for the original email should take precedence over all other emails – when someone tries to take over an account, the original owner’s email is always the first one, so this works. If the infiltrator skips across 10 emails, using the original email’s email reset link should invalidate all of the links for the other 9 past emails. If the person who took the account for whatever reasons uses the email reset on #5, the reset emails for #6 onward are invalidated while the reset emails for #4 and earlier still work.I’m not sure how this would work from a technical point of view, but that’s the most beneficial behavior for us.

What you should be doing is keeping track of the emails that are used on the account. The longer the email has existed with the account the higher priority it should get. In other words, if multiple emails have these links, when one is clicked all links for newer accounts become inactive. This means that even if a hacker were to do this, my email would still be older so I have control.

I believe the revert emails are always supposed to work, never time out, but otherwise they are supposed to work as Echo described.

I don’t mean to necrobump, but I just tested this process again, and it is now working how it should. Revert email will still work after an attacker has confirmed the email change.

Thanks ROBLOX. :thumbsup:

4 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.