BEDEV2 /user-profile-api/v1/user/profiles/get-profiles lacks a query limit

Bug Reports Roblox Application and Website Bugs
,
#1

POST https://apis.roblox.com/user-profile-api/v1/user/profiles/get-profiles

{
    "userIds": [ 123456789 ], // big array (10K+)
    "fields": [
        "names.username",
        "names.displayName",
        "names.contactName",
        "names.platformName",
        "names.alias"
    ]
}

The new profile search endpoint used on the website lacks size limits and permits an arbitrary number of userIds to be queried at once (10K+).

Sufficiently large requests will fail with an HTTP 504 Gateway Timeout. Occasionally the requests fails with HTTP 400 Bad Request with an empty errors object.

{
    "errors": [
        {
            "message": "upstream request timeout",
            "code": 0
        }
    ]
}

Once a sufficient number of retries are made (and presumably the entire set of results is ready), the server responds with an HTTP 200 OK - this response can potentially be several MB of text data.

Each of these large requests consume only 1 rate-limit attempt (of the 10000 pool limit); traditionally on other platforms, an API a query like this consumes 1 request per item to prevent abuse.

Expected behavior

Instead of a HTTP 504 Gateway Timeout, there should be an error documenting the query limit, or the pending status of the query.

5 Likes
#2

Wow, really interesting vulnerability here. Will be nice to use this to query heaps of user IDs whilst it lasts. :sweat_smile:

#3

tbh this isn’t a bad thing even if it stays but maybe not at an extreme level like this. maybe the limit should be like 1000 bc this is genuinely sorta useful while it lasts

#4

I believe this has been fixed, sadly :pensive:

Just tried to use this API in production today and it only accepts up to 200 user IDs now.

#5

Thanks for flagging! This issue has been fixed now, closing the ticket.

1 Like