Hello everyone! I am happy to announce my last creation on which I have been lately working on: Accounts manager. This extension allows you to keep multiple accounts connected at the same time on just one browser.

Before i continue:

BE AWARE OF SCAMS

As of January 9th 2023 Accounts manager is available on the Firefox’s add-ons store.

The only official extension made by me is the one linked below, I have not published this extension on any browser marketplace/store/add-ons store. Additionally this extension is not for sale, if anyone comes to you and says that he’s selling it please do not fall for it as I don’t ask for any payment, also if they tell you that they worked on it, that is highly fake as only I worked on this project.

About

This extension has been made because sometimes you may need to switch between accounts and logging-in and out can be pretty annoying. This extension is the solution to the problem.

Jump to showcase

How does this work?

This extension automatically detects login-ins and log-outs and when you log-in it will prompt you to choose to save the account you logged-in. If you click “OK” a copy of the .ROBLOSECURITY cookie will be made under the name of AM.ROBLOSECURITY.<UserId>. Now this actually does not represent a security risk and if it does that’s the same as the .ROBLOSECURITY cookie (will refer to it as RSC). The copy of the cookie will be flagged as httpOnly, this helps to lower the chances of a successfull XSS attack.

If you want to add another account open the extension panel (will refer to it as EP) and click the green button “Add account”. This will remove the current RSC without invalidating it so that you will be able to access the log-in page, once you are on the log-in page just normally log-in and the extension will prompt you to save your account, click “OK”. Now the process explained above will repeat. Once logged-in in at least two accounts open the EP and click the account you want to switch to. Once you do that, the current RSC will be replaced with the copy of the account you want to switch to so that you get access to that account.

NOTE: When changing account localStorage and sessionStorage data will be wiped and this will lead to some preferences being forgotten (example: cookies agreement). I am aware of this and i am working on a fix.

You may say: “If i change account a copy of the RSC is still available on the website and so someone with physical access to the device can get into my account”. I took this in consideration and it’s actually not a risk because this is just what would happen normally if you don’t log-out, basically the RSC is not invalidated and so you are not actually logged-out.

When you log-out of a saved account it will be removed from the list as it’s RSC is invalidated by Roblox.

To open the EP click on the extension in your browser.

Compatibility

This extension has been developed to work on Microsoft Edge and Google Chrome. Support for Firefox will come soon (Available as of July 1st 2022).

How to install (Edge and Chrome)

Go to the releases page and select the latest release for your browser, head to the assets area and download “Source code.zip”

img1598×596 36.4 KB

Unzip the folder then (on chrome) go to chrome://extensions, in the top right corner of the page enable developer mode

and click “Load unpacked extension”, open the unzipped folder, open the folder named “Accounts-manager-BETA-v.1.0” and select the folder named “source”, finally click “Select folder”.

If you are using Microsoft Edge the process is the same but instead of going to chrome://extensions go to edge://extensions.

Versions have been split: to access the code for Chromium based browsers on GitHub select the “Chromium-based-browsers” branch, to view FireFox code select the “FireFox” branch.

For a further explaination of how this extension works visit the GitHub repository.

I would really appreciate any feedback on this. If you are having issues then please create an issue on GitHub. If you need quick support the best way to get in contact is to join the support server.

Showcase

Rate this extension:

Do not republish! The only purpose of this being public is to show the code so that you can feel safe using it as it uses sensitive data. Redistribution is NOT allowed.

very unsafe. Never copy anything from the networks tab of your console, or form your cookies, especially something that has “Security” in it. It is not safe, and you are directly giving the malicious user your account.

This runs locally 100% as explained in the main post this is not copying any data else where if not on the roblox website, in the same place where the roblosecurity cookie is stored, with the same security flags, i strongly considered security while developing this. So this is basically just having a doubled roblosecurity cookie. anyways you can check the code yourself and decide if it’s safe to use

The code may not directly have anything malicious in it, It may just request to be granted access to cookies, indirectly leaving the door open for malicious activity.

I can’t see what is the part that makes you think that a bad actor could get access to the data exploiting it, this doesn’t listen to any request so unless someone gets access to your pc, edits the code, re-uploads it to chrome then i can’t see how this could happen, but i would be happy to understand your “problem”. I will reply tomorrow.

This might be useful if you have multiple alts you use daily. But as @TrulyChxse said, this is kind of unnecessarily unsafe, even though it’s all local. Would this be easily hackable? A better alternative is to keep your usernames and passwords stored in the default Google Chrome password manager. You can save multiple logins. You’ll need to sign out and log into a different account, but it’s probably better than using someone else’s plug-in. I’m not saying this is completely bad, but it should be used only by the creator and not used by the public.

I wouldn’t say so, i’ve read the code multiple times to make sure it was safe, as i said before this doesn’t listen to any request made by external services

The scope was to prevent clicking log-in/log-out

If you are talking about chrome’s function to have multiple profiles then not all browsers have this feature.

Well i am not forcing anyone to use it, if someone believes it’s useful then it’s there ready to be used.

This is exactly as safe as the regular .ROBLOSECURITY cookie, with the caveat that if someone gets access to your cookies, they have all of your accounts, not just the current one.
edit: I would like to clarify that this is more or less a safe design

I don’t like how the other .ROBLOSECURITY cookies are stored as cookies.
Cookies are always sent to the server when you make a request. As such, the Roblox servers see very clearly that you are using this extension and it also tacks on more data sent per request.

I would suggest storing the cookies in some other form of extension local storage. (No, nothing of the kind that can be accessed by content scripts)
It would be ideal as a Greasemonkey script because these are more universal, but I’m not sure if these can access HTTP-only cookies.

edit: If you have such a better storage method, then you also gain space to store all localstorage and sessionstorage in it.
Note that Greasemonkey has such storage. Inspect it to learn how to get storage.

final edit: Firefox has “containers” built-in (there used to be extensions to do that before then), which let you store and switch between sessions. However, I feel that it has severe UX issues, such as a depressing inability to operate on the list of containers, poor keyboard support and Internet Explorer syndrome (complete disregard of people who want to use multiple tabs).
I would not use this extension myself, but it should easily be better and smoother to use than Containers in Firefox when someone verifies that it works on it.
(Chrome and Firefox use the same extensions today fyi)

Kind of unclear what your specific issue here is. Is there a specific issue with the code you have? If so, please identify what that is so that OP can improve! If you’re just disagreeing fundamentally with OP - I mean If you don’t want to use it, no one is forcing you to, but there is always going to be the issue of balancing security with usability when attempting to non-natively streamline things, especially when combining authentication information. Doing it smartly mitigates that risks, so I don’t think it’s fair to just fundamentally critique what OP is doing and brand it as “unsafe”.

Kind of the same point I’m making above, but y’all can see the code. If there’s nothing you can point to that is specifically concerning, this really isn’t contributing anything to the thread and its essentially baseless alarmism. If there’s an issue, point that out certainly (as someone who doesn’t know js, I can’t speak to the safety and methods used so I can’t really comment on the specific safety at all), but if you can’t find anything of concern then you’re just spreading general worries that aren’t grounded in anything actually specific to OP’s creation, potentially pushing people away from something that would be quite helpful to them.

Edit: @Eestlane771 is doing a good job of what I’m saying by pointing out something specific that could be improved

Can you add a safari extension?

The reason why this extension deletes data in them is to avoid mixing of trackers of different accounts

I still can’t provide this for Firefox because this was developed with manifest v3 which is not supported by Firefox yet

I will see what I can do, I am going to be honest, I didn’t look at safari’s side but if that supports manifest v3 and the code used here then you can already use it, otherwise changes are needed. I will take a look at this tho

I agree with this, I couldn’t really understand where their issue is in the code.

How is this not safe, you run the code yourself, no 3rd party requests in the source, only way you could get compromised is if someone was using your PC, and in that case, they most like have your login anyways since it will most likely be stored to browser, all this does is skip the login process.

It’s unsafe if you open up your cookies and show somebody. Or, somebody manages to hack into this plugin, edit the source code, update it and have it upload your cookie information. The safety of this plugin is almost entirely up to the person using it.

Do you think this plugin would be edited to store cookies on some server for malicious use? I guess it’s possible, but for now it’s open source. You could just download it and never update it, so you know it won’t upload your data.

Unless someone manages to get access to edit the repository this can only happen locally and so it’s your responsibility

Neither thinked to that while developing it as I knew that as it is now it would’ve got criticized a lot even if it was safe

Isn’t there already one on the CWS?

Chromium makes it very easy to get access to the plugins files, and this probably includes data stored by the plugin. This is a legitimate concern if a virus was to get on your computer.

I’m sure there’s a different plugin that I’ve seen before, but jmkdev has made one before

Screenshot_2022-05-06-17-31-48-294_com.microsoft.emmx1080×2400 354 KB

Well the same risk applies to the .ROBLOSECURITY cookie then

Oh well i didn’t know about that