There is currently a major security flaw within roblox groups. I cannot disclose it due to risk of bad actors using it, however reproduction steps have been sent to @Exploit_Reports. I will keep this post updated with details as they come. You can prevent this exploit in the mean time by removing all permissions from all ranks within your group. (I advise this highly).
Original Report: This critical roblox security flaw allows you to take ownership of ANY group in which you have the “Manage lower-ranked member ranks” permission via the roblox groups API.
Once the API request is sent to rank another account to owner, the group will have two owners. You can then use the API to transfer the group ownership and the group is taken from the owner.
Acquire the “Manage lower-ranked member ranks” in the Roblox Group you desire to perform this glitch on.
Get a simple HTTP request engine (Postman or something of the like).
Why are these flaws just being discovered? This raises huge security concerns for groups – and potentially incomes for many developers. Is ROBLOX actively searching for bugs to issues or will they only be patched after a user has reported abuse on the platform?
Hi! I understand your frustration towards the Roblox Staff Team but it’s not their fault. Roblox Simply has procedures that need to be followed which include terminating an account that was associated with putting in a disgusting model that may or may not be Not Safe for Work. I completely under your anger at the Roblox Staff Team but they’ve been hired to do certain things, so do not be complaining.
The topic was moved to a category you don’t have permissions for. No need to be so dramatic.
I do agree however that this is embarrassing, but it is par for the course. Roblox is enormous and I’m sure there are more than a few oversights. What should happen as a result of this is an audit for the same mistake here on all other major endpoints.
Historically many issues like these need to be leaked to the public before Roblox makes it a priority to fix them. In 2013 I reported a similar exploit that pertained to Personal Build Servers and it persisted for years until they decided to remove the PBS feature entirely - this is granted that I never shared or leaked what I did. I’m sure there are more/better examples but I suspect that with the introduction of the hackerone bounty program, Roblox themselves are less actively looking for these kinds of issues themselves - which would only make sense
Because Roblox is an enormous platform, with hundreds of endpoints. Nobody here knows how long the vulnerability was present, nor how many people were affected by it. The important thing, however, is that Roblox had a very rapid response to the report and immediately took action to temporarily prevent the usage of the endpoint so that the vulnerability cannot be abused any further.
All large-scale software will have vulnerabilities, big or small, and that is just a fact of the internet. Yes, it is a shame the issue wasn’t spotted in QA or code review, but the scale of damage doesn’t seem huge and the response was as good as it could have been.
Vmena, god bless you for reporting this. We need more good people like you in the world. Glad that developers with integrity exist within our community. Who knows how much damage this would have caused within the Roblox community.
Exactly. What matters is they took swift action and disabled the ability to reproduce the vulnerability until they can find a solution. I’m surprised they did it at such unprecedented pace too.