Add captchas to game joins

As a developer, there is no easy way to fully counteract the recent surge in game bots. Right now as it stands, botters can easily swap out roblox cookies and make accounts join games with no resistance whatsoever, as there is no captcha if you are already “logged in” via having bots burn through a list of cookies and once they are past the log-in stage they have free reign on joining games, using chat, living likes/dislikes if they are verified, etc.

Roblox needs to step up and add captchas to features of the sites which have received heavy abuse by bots lately, having 1 captcha on a log-in simply isn’t enough when attackers have hundreds of thousands of already logged in cookies to burn through.

I feel that it’s also worth mentioning that even with in-game captchas, the botting is ruining developer stats.

32 Likes

I agree that the issue has to be solved but I do NOT agree with your solution, if you have experienced the captcha system that Roblox has implemented you wouldn’t suggest this.

I understand that bots are an issue but it’s simply a terrible idea to add an extra step for players to play your game which might also frustrate them because of the stupid captcha system being trash… and driving them away from your game

If Roblox ever implements this please for the love of Builderman make it an option!


You can also use this in game, CaptchaTheFlag - Protect your game from bots, for now

46 Likes

It’s possible to make a custom Captcha to detect bots in your projects. It doesn’t have to be anything fancy.

I personally don’t want more steps to join games. Roblox is so great because you can play anything quickly. Captchas add like 30 seconds and are extremely annoying

11 Likes

Agree. I’d also like for this to be paired with forcing players to stay within a game for a set duration of time before allowing them to leave a like or dislike on it; let’s say fifteen to thirty minutes. This would also filter out bad actors who are manually disliking another game, or manually liking their own game–unless they’re super dedicated to doing what they do.

2 Likes

I absolutely hate captchas. I live in an area where I literally get infinite captchas.

The best way to combat bots are the following:

  • Force verification on signup. Make it so that one account can belong to one email.
  • Rate limit the action that allows you to join a game.
  • Block known VPN hosting providers.
  • Watch for traffic spikes via IP. If a collection of IPs in relative space are joining games or pinging requests in insane numbers, it’s usually an indication of mass botting.
  • Watch for failed login attempts.
  • If you find a bot or a few bots that are joining your game, you can actually pinpoint and block the IP that they’re coming from. It will block a bunch of novice-level “hackerbois”. Roblox can see every action and every IP you join/make. They have the capability. Most sites with engineering power do.
  • Block known captcha solving services.

Most bots out there use libraries that do not abide by rate limits. So, they can literally, spam join your game with a bunch of cookies with zero issues and is the reason as to why this is happening. 95% of the APIs that Roblox has are not rate limited or the rate limit is set so high that it’s physically impossible to trigger. I’ve been testing it slowly with every API and I’ve only encountered a few (almost always POST-based endpoints) that have very poor rate limits and most of the time, the actual span of which you’re rate-limited isn’t actually unified across the APIs (this could’ve changed).

I strongly believe that no matter what, captcha will always be horrible UX and is essentially a bandaide fix to something more serious. By introducing a third-party, you now have an avenue that can be exploited to circumvent.

I have written and maintain a library that allows people to bot and I have witnessed so many attempts at creating ways to circumvent the captcha. Third-party solvers, etc. Captchas do not solve this issue. Limiting account ages does not work. Even if you limit the amount of accounts playing by IP, you could use a VPN and circumvent.

My theory is that most bots used to join games aren’t verified. They’re probably logging in once, grabbing the auth cookie via incognito, creating a bunch of processes and joining your game. Since cookies last a while (given that they don’t or aren’t logged out), it can be used over and over.

I’m not saying that forcing verification would fix this but, limiting verification to one email per account without having multiple accounts on the same email would probably fix a large chunk of this given that people are naturally lazy.

Another option since we’re on the topic of bots would be to support bots via an application-based bot user that can be restricted on certain domains. It would properly allow for automation of groups, etc and it wouldn’t make users find hacky solutions to come up with ways to circumvent. A lot of people out there find group bot management code open-source and tailor that code to do malicious things. If they were given a solution like something Discord provides with strict API limits and a toleration policy that’s actually enforced, it would make life a lot easier. This is far fetched though.

6 Likes

I’m wondering why you’d want this. VPNs aren’t solely used by people who use them to misbehave on the internet, especially not paid VPNs (the people who use a VPN to circumvent things probably use free ones).

By far the largest part of people use a VPN for good reasons, like:

  • Bypassing censorship
  • Avoiding throttling
  • Bypassing network blacklists
  • Secure connection (on public networks for example)
  • Privacy (paid VPNs have a no-logs policy)
    … and so on

It would be awful if so many people have to pay the bills for the rotten apples. Talking about myself, I am a 24/7 VPN user because of various reasons. If Roblox would block VPNs on their platform, it would mean the end of my adventure on Roblox for me.

This would be terrible for parents who have kids <13 years old. Kids on that age should use their parents e-mail address for one of these 2 reasons:

  • They legally aren’t allowed to have their own e-mail address
  • Parental control
1 Like

VPNs can/will almost change your IP and your location. If you were to create a bunch of bots to spam or otherwise annoy someone, you can circumvent via a VPN and have all of your instances on different VPN locations. Not only will this look like normal requests but, it’ll allow attackers multiple avenues to beat basic security. This is part of the reason why Discord can’t truly permanently ban someone and how you can circumvent discord bans by changing your IP via a VPN. This is more on the actual application side of things than the site. If the user is using a VPN, the application itself could prevent a proper launch which would prevent a client or bot in this case from joining servers.

It wouldn’t actually change for parents who have kids. You can have kids share an account until they get their own email or you could just have a parent email that has access to two child instances (accounts) under strict parental control. The point is that creating an infinite number of accounts without verification and being able to join a game is a severe security risk. By doing so, you allow creation of unverified accounts for users that are too young to understand what security truly means, they complain that their account got stolen, Roblox support can’t verify that they own the account and next thing you know, they’re on twitter or elsewhere claiming that Roblox sucks and they want all their stuff back.

1 Like

They do change your IP and location. It’s technically impossible to use a VPN without having your IP changed, since you’ll have to connect to a VPN server.

In your response to my concern about legit users who don’t use VPNs to do bad things it seems like you don’t mind about them. I think that it’s very important to keep them in mind.

Using VPNs for botting seems like a violation of lots of VPN providers Terms of Service, but there is no way for the VPN provider to confirm this as they are likely to have a no-logs policy.
VPNs are a tricky thing, but please keep in mind that they are used for good things for the biggest part.

Roblox it a platform for all ages, including kids. I heavily disagree with your statement. Children sharing an account may cause into quarrels, as we (developers) don’t have our games optimalized for account shared with others. The most of the games only have one save slot per game. Brothers or sisters who share their account and both like a game but want to do something else in it (for example, brother wants a blue house in MeepCity and sister wants a pink one), there might be a quarrel about that. A limit on accounts per e-mail address would be more realistic for this.

1 Like

Game join captcha is simply not a good idea, It will only cause problems and annoyed players. The current captcha system is already quite painful to complete at times.

But considering this would actually get implemented I’d say dont make people do a captcha every time they join a game, Instead have them do a game join captcha once a month, since this is atleast more reasonable and user friendly and at the same time will fix the bot issues

Ever heard of Captcha solving services? In this case, they’ll only have to pay for 1 solved captcha per month per bot account. This will only make players annoyed. Bots don’t care.

3 Likes

If thats the case then why have captchas in the first place. Arent they supposed to stop bots? If bots dont care and can get trough them that easily then make better captchas.

1 Like

Bots can’t go though Captchas, but humans can. That’s why there are entire companies which offer Captcha solving services to people who bot stuff.

When a company like that gets a customer who wants Captchas solved, they’ll forward all Captchas the bot encounters to one of the companies employees (which are people from low-wage countries) to solve the Captcha.

Back to your question, I think there are Captchas to beat the hobby botters who do it from their bedroom, as they are likely to not want to pay for Captcha solving services.

1 Like

Oh yea i get it now. I thought you meant Bots as in an ai trying to solve the captcha. If its people solving it then there isnt realy anything that can stop them.

1 Like

There are way to bypass the Captcha. And there are ways to solve this “robotically”. Both require a-lot of experience and is something that I’ve been able to do. However, I do work in the infosec field of things so, a common person/user or whatever wouldn’t know how to do it. All it really takes is someone experienced to publish complex code that can bypass this and a lot of users will be able to bypass it. Naturally, most people who download code from github, etc have no idea as to what they’re downloading. The only thing they see is that “it can get me from A to B”, “it’s cool” and “omg, it’s free”.

Roblox implemented this because their own account system doesn’t have a distinction between a bot and a normal user. They do not have actual bot (application) support and those that appreciate automation move through repo after repo finding a bot that is easy to use. From there, they place their account cookie that allows the bot to act like a normal user. Even after all that, it’s actually incredibly easy to divert a captcha to a solving service or to a visual interface. Both of which, have been done before.

What Roblox really lacks is a way for users to automate repetitive actions. A way for users to create application-based bot accounts, get assigned a client token, and limit bot actions based on the API used. It would make life a lot easier and the libraries that are used to bot (mine being one of them) would have an easier time directing the flow of not using an account cookie. Using account cookies and having them shared via code or related will always be a complete and total risk. If there was a better interface, ethical botting would be much more manageable.

There will always be those people who bot maliciously but, you can tell/block them if you take notice to how often they’re being rate-limited at any given timeframe. Typically, that’s something I would definitely take into account when trying to find ways to distinguish a user from a bot. There are certain actions taken at speeds that aren’t humanely possible and I think Roblox should capitalize on that instead of placing captchas everywhere and thus, ruining the user’s experience.

4 years 7 months.


This now exists in the form of the Open Cloud APIS.

1 Like