Attention group owners: Critical group security flaw with ranking users

There is currently a major security flaw within roblox groups. I cannot disclose it due to risk of bad actors using it, however reproduction steps have been sent to @Exploit_Reports. I will keep this post updated with details as they come. You can prevent this exploit in the mean time by removing all permissions from all ranks within your group. (I advise this highly).

Original Report:
This critical roblox security flaw allows you to take ownership of ANY group in which you have the “Manage lower-ranked member ranks” permission via the roblox groups API.

Once the API request is sent to rank another account to owner, the group will have two owners. You can then use the API to transfer the group ownership and the group is taken from the owner.

REPRODUCTION STEPS:

  1. Acquire the “Manage lower-ranked member ranks” in the Roblox Group you desire to perform this glitch on.
  2. Get a simple HTTP request engine (Postman or something of the like).
  3. Make a PATCH request to https://groups.roblox.com/v1/groups/{groupId]/users/{userId} with the appropriate parameters.
  4. Attach the {Roblox.Groups.Api.UpdateUserRoleRequest} body to the PATCH request.
  5. Send the PATCH request and look at the Roblox Group effected.

Note: You cannot promote yourself to owner but you can promote any other user in the group to owner. (Ex. a user with ranking perms can promote their alternate account to owner but not themself.)

Once promoted to owner you have all permissions that an owner would (except you are unable to transfer the group’s ownership via the website, however you can on the API.)

Special thanks to @CartarFerrero for the repro

179 Likes

Thanks for the heads-up, we are investigating.

53 Likes

Thank you for the detailed report in private, we were able to reproduce an issue and are working on a priority fix.

The offending endpoint has been disabled entirely while we are working on a fix. This means this vulnerability can currently not be abused. (please let us know if you see otherwise, in private)

We will update you once the issue has been resolved. In the mean-time, please expect issues when trying to change user roles in groups (this is part of the endpoint that was disabled).

143 Likes

Are you able to private message me a repo of this flaw? There was an announcement on the clanny discord server about this

UPDATE (for clanny users)
image

13 Likes

Wow, that’s just sad, I wonder how long this bug was a thing before it was discovered, and even then, it took two days for a report to be made and for staff to realize

I hope no one’s group got affected by this, though I do hope that this is a wake up call for Roblox to improve website security

Though thanks for reporting this issue

21 Likes

Why are these flaws just being discovered? This raises huge security concerns for groups – and potentially incomes for many developers. Is ROBLOX actively searching for bugs to issues or will they only be patched after a user has reported abuse on the platform?

13 Likes

I’m getting “API disabled in RCC Channel” error, does it have anything to do with this?

2 Likes

I feel like it’s the second way that you described, so if this post was never made, I feel like this bug would still be attacking groups

2 Likes

Hi! I understand your frustration towards the Roblox Staff Team but it’s not their fault. Roblox Simply has procedures that need to be followed which include terminating an account that was associated with putting in a disgusting model that may or may not be Not Safe for Work. I completely under your anger at the Roblox Staff Team but they’ve been hired to do certain things, so do not be complaining.

6 Likes

I think we have every right to be at least concerned as this brings up the question: “What other security flaws are under the rug in the service?”

15 Likes

The topic was moved to a category you don’t have permissions for. No need to be so dramatic.

I do agree however that this is embarrassing, but it is par for the course. Roblox is enormous and I’m sure there are more than a few oversights. What should happen as a result of this is an audit for the same mistake here on all other major endpoints.

21 Likes

Historically many issues like these need to be leaked to the public before Roblox makes it a priority to fix them. In 2013 I reported a similar exploit that pertained to Personal Build Servers and it persisted for years until they decided to remove the PBS feature entirely - this is granted that I never shared or leaked what I did. I’m sure there are more/better examples but I suspect that with the introduction of the hackerone bounty program, Roblox themselves are less actively looking for these kinds of issues themselves - which would only make sense

7 Likes

Because Roblox is an enormous platform, with hundreds of endpoints. Nobody here knows how long the vulnerability was present, nor how many people were affected by it. The important thing, however, is that Roblox had a very rapid response to the report and immediately took action to temporarily prevent the usage of the endpoint so that the vulnerability cannot be abused any further.

All large-scale software will have vulnerabilities, big or small, and that is just a fact of the internet. Yes, it is a shame the issue wasn’t spotted in QA or code review, but the scale of damage doesn’t seem huge and the response was as good as it could have been.

41 Likes

Vmena, god bless you for reporting this. We need more good people like you in the world. Glad that developers with integrity exist within our community. Who knows how much damage this would have caused within the Roblox community. :heart:

Exactly. What matters is they took swift action and disabled the ability to reproduce the vulnerability until they can find a solution. I’m surprised they did it at such unprecedented pace too.

15 Likes

Is this confirmed to be fixed yet? I’ve had reports that ranking in groups works again, but I don’t want to turn permissions back on until I’ve heard confirmation that this security flaw is patched.

18 Likes

Thank you for letting us know about this issue. It has since been fixed and private messages have been sent to group owners who may have been affected. Thanks for your patience!

29 Likes

Anyone else getting 503 errors now?

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.