Assetdelivery allowing the rbxm download of paid plugins

Currently the asset delivery API endpoints are allowed to download plugins; whether paid or unpaid, however this is specifically about after purchase. This is a hazard as it would be easy for people to re-distribute this off-platform (for a lower price or even for free) by simply purchasing a plugin and using the asset delivery api endpoint to download it in rbxm format.

I have no clue if this also applies to other assets but I’d have assume so.

Browser used: Firefox Developer Edition

Expected behavior

I expect the asset delivery API to not be able to download specifically paid assets through unfamiliar means. This being outside of studio’s environment or whichever environment is utilized for cloud assets such as plugins.

A private message is associated with this bug report

3 Likes

This has been known for a long time, first time someone has said something about it I believe.

2 Likes

Yeah, seems so which is slightly a bother as there are plenty tools out there. It really shoots down the safety of uploading paid plugins. Id rather not have them be redistributed as easily as it currently is. Especially considering we can’t upload our own EULA of sorts either.

1 Like

Are the plugin files stored in the game’s files? If so, then it’s possible to get them that way anyway.
Also, I wouldn’t want plugin files to be in the cloud as I like that roblox studio keeps working even when roblox is down or you lose internet (after you opened the place, with team create disabled)

1 Like

Hi there, thanks for reporting this - the asset delivery API is used for Studio delivery of plugins, it is gated on paying for the items if they are priced. We are conscious of the issues you described, and would love to hear any ideas and feedback on the topic.

1 Like

With the recent introduction of the new creator store there are seemingly a couple of safeguards in place that would at least provide security to the user’s endpoint. To list them from the post itself for anyone else reading:

  • Upload rate limits to help prevent spam and misuse
  • Automated detection of malicious code in Creator Store assets
  • Human evaluation of top and new assets covering over 50% of Creator Store insertions
  • Defaulting to show content from ID/phone-verified creators only
  • Bans of coding patterns /APIs primarily used for malicious behavior
  • Systematic moderation of malicious content and consequences for bad actors

with this in mind it’s safe to assume that increased protection around creators could be introduced as well. To name a couple that could be utilized here is:

  • Encryption of (paid) plugins.
    • alternatively allow developers to do this themselves to allow for more versatile results instead of a one solution fits all that allows people to crack 1 plugin and have the rest of them with said method as well.
  • Obfuscation of uploaded contents
    • prevents potential easy modification/readability of code
  • Marking the asset with a purchaser’s id of sorts to prevent spreading
    • Think of how activation codes work with software, primarily in the case of preventing re-distributing the encrypted files.
    • Implementing activation codes manually as a tool developer is useless if the source code can be ripped out anyway

On a more legal side of things, allow us to upload our own EULA of sorts. This way we can choose our own form of agreement or utilize roblox’. Unity is a great example that allows this as well.

afbeelding

afbeelding

Keep in mind these are all preventive ideas, stuff obviously can never be 100% water tight, but it can be made harder to crack in order to make it less worth it to actually do.

If anyone has any other potential ideas by all means list them, these are just a number of them that I’m currently able to provide.

4 Likes

I think some form of encryption or signing would be the best approach here, the issue I have is that people can just lift RBXMs from their studio install and share them.

The plugin developer should still get an unencrypted copy though in case they lose the source code and need to download it from Roblox again.

4 Likes

It would be nice if the plugin source code were compiled ahead of time so that all the end user receives is bytecode (just like how clients in-game never receive script source). Shipping plugins as bytecode makes it practically impossible for someone to re-publish it because you cannot upload an rbxm with unsigned bytecode.

2 Likes

I definitely agree with the bytecode take. I was thinking about ways to effectively prevent users from modifying/seeing the source code, and that was what I came up with a few months ago. The only concern I had with it is that although it does prevent redistribution through Roblox, it doesn’t stop an end-user from sharing it on a third-party platform. I’m sure there may be ways for Roblox to circumvent this though. I’ve thought of a few, but they sound resourcefully expensive, or just easy to get around.

Edit: Just thought about this a bit more. I’m sure the publishers of plugin’s could add a check to see if the running user owns the plugin. That would prevent easy distribution. You could reverse engineer the bytecode and remove the check, but at that point, you’re going to have people get around it regardless.

1 Like

I would initially agree with this if it wasn’t for the RCE that lurks within Luau bytecode, though as far as I’m aware, you cant get bad code from the compiler, it would require directly modifying it

This would require very careful implementation to make sure someone cant just publish malicious bytecode.

1 Like

Ideally, shouldn’t Roblox/Studio itself be the one handling that?

2 Likes

I definitely think so, yes. Roblox could pre-append a validation code snippet to the plugin before compiling the bytecode, that might work just as well! Just ideas.

I HIGHLY recommend people to just use version control software, like github as an example.

If we look at Unity’s game compiling, it’d be pretty much the same. Its compiled and available as an exe with dlls for content which is more of a hassle (still not difficult obviously) to reverse engineer without a form of encryption around it than to just open the project on your device or from a version control application.

Or just have a specific place with all your plugins you’ve made stored in ServerStorage/ServerScriptService, that one works too.

I feel like this should 100% be the bare minimum, though with a couple more checks on-top of it perhaps

I reckon it’d be best for Roblox to do the conversion when the plugin is updated/placed in store (i reckon alike to how places are handled) and put on sale by them after all the checking is done, they already have to do the checks to ensure no malicious content is uploaded to the marketplace.

Because every developer uses git and vscode, and doesn’t code plugins within Roblox Studio, or anything

2 Likes

This report is marked as ‘closed’, but I don’t think there’s is a solution to this yet?
Perhaps there is a new security feature I’m not aware of?

Plugins should be secured better. It’s scary how easily someone can rip the code and republish it instantly.