Ban API, The potential issue of soft-locking yourself, by not being able to unban yourself

Except the whole appeal of this new functionality is that it also bans suspected alts, which can (and depending how sensitive it is, probably will) pick up the alt, meaning it’s still locked out.

10 Likes

This is a major issue, in my opinion; a backdoor could theoretically irrevocably ban all the user/s (and their alt/s) of a given experience, including the Moderator/s & Administrator/s, and even the experience Creator.

For an inexperienced Dev (another appeal of this feature), they would likely not think to use the OpenCloud API to unban themselves (also, this would require them to have external VSCode knowledge).

7 Likes

Well, the alt account detection didn’t work when I tested it, so I’m not sure how sensitive it is. But like I mentioned they’re going to provide an interface on the creator hub anyway, so you can just easily unban yourself there.

4 Likes

They should add “Enable Ban API” toggle just like they have stuff for HTTP I guess.

Where disabling it, also disables bans being applied and checked. :thinking: This is great, incase someone just wants to switch it off.

 

This sounds like a very cool solution, because indeed there’s probably people that do not or ever needed a Ban API. Regardless if they used Third-Party to ban.

But perhaps a Toggle in the Settings PROMOTES the Ban API way too much, and maybe Roblox doesn’t want to promote it.

 

I don’t know how Roblox handles Feedback nor if they have QA a-like tests (not the Platform/OS based QA). They do listen to feedback but, I feel like there’s feedback that doesn’t land anywhere.

5 Likes

What is very interesting is that there is protection to ensure you don’t ban UserId 1 (the Roblox account), which is most-likely never going to join your experience; yet you are still able to ban yourself…

6 Likes

erm… just publish a version of your game containing a script that unbans you??? Maybe I’m missing something.

2 Likes

A workaround to prevent getting soft locking yourself from happening in the first place; I suggest utilizing “whitelist” codes, aka dictionary or array of user IDs then loop through to verify if your ID is on it or not before run Ban API codes.

This is more like band aid solution in short term but Roblox should implement some kind of actual protections for game owner and a list of users who can edit the game. Maybe even create a dedicated whitelist in the website or studio who cannot be banned at all.

2 Likes

Simple fix to prevent this issue: when running BanAsync, throw an exception if the banned user ID is equal to the creator’s ID. I do feel like dealing with edge cases such as potentially banning yourself is something you should prepare for when utilizing the ban API

1 Like

This doesn’t address the primary concern, which is malicious actors (ie backdoors) using BanAsync to ban the user/s (and their alt/s) from a given experience, including the Moderator/s & Administrator/s, and even the experience Creator.

Nothing can or will address this, until Roblox either whitelists the Creator or allows UnbanAsync to be run in Studio.

1 Like

I believe this has been sort of fixed, I went on my alt and attempted to ban myself, it returned the same error as if i tried to ban userId 1, Place creators now seem to have a protection

1 Like

I thought about it, but didn’t ever try it.

It would work if the Script gets executed by joining as the only person before or after the Ban API kicks you.

Someone told me and showed me that banning the Main works with alt detection.

It didn’t work for me, maaaybe it’s because of a different reason.

I was thinking of:

  • Maybe it depends what Region you’re in due to ToS or something?
  • Or something else that nobody should really worry about?

ExemptAltAccounts should be set to false

But I wonder about mixed bans.

Yeah, this was one of my concerns when I saw the news as well.

Could not reproduce this. It still banned me.

Really wish they would allow the API to work in studio. Before I had my discord bot, I would just run a DataStore async call to ban people in the command line.

Is it possible to 100% disable Ban API on my experience? To prevent the possibility of malicious users trying to ban everyone.

1 Like

This is just an acknowledgment announcement!

We’ve filed a ticket into our internal database for this issue, and will come back as soon as we have updates!

Thanks for flagging!

11 Likes

If you’re not using the ban api in any scripts, you’re fine.

the person you’re replying to specified backdoors, meaning you’d need to have used the api in your experience in some way for the backdoor to tie into the ban api

There’s a concept:

Roblox puts things on RobloxScriptSecurity, due to concerns, e.g. the ability to create QWidgets, because a Plugin Author could oversize the window or block the ability to close Studio, or with wrong use even crash Studio.

But this only happens if you install a Plugin and you can always uninstall it.

There’s no straightforward alternative provided, to create those Widgets outside of RobloxScriptSecurity. That security level, is a forced “baby-sitting”. (For a good reason)

But there’s no opt-out as well.

 

BanAsync came out. And I am surprised that this was simply just released. Marketplace ModuleScripts could be just as malicious like Plugins :thinking:

Pretty sure they had concerns, but maybe not studied that much.

But… idk

I don’t believe someone like Adonis Admin System or HD Admin, is going to do malicious things to their Modules. So, there shouldn’t be any issue when someone tried to consider it being one.

But using random Marketplace Scripts through InsertService, or without manually analyizing or extracting it out of the cloud, and integrating it into the game, that could be bad.

 

Summarized, BanAsync, doesn’t have much “baby-sitting” support nor was given a lot yet :person_shrugging:
Which is surprising compared to the other things that exist on Roblox that seem to have considered security.

I really don’t know why UserId 1, is magic here

This could be a topic for, how Roblox is for all ages. vs. the innovation of them adding 17+ (to eventually be less restrictive or something, while still supporting the “all ages” thing).

Maybe one day they will allow more customization for a bunch of other technical stuff.

2 Likes

Thanks! Great to see you guys are listening to the feedback.

Something I noticed while testing is when I ban myself I could still test the game in studio! My work around is creating a script to unban yourself while in studio and running it! If you still dont understand, When i ban myself IN GAME it worked but when I joined on studio I could still test!