Recently, I discovered you can steal people’s IPs with scripts ran in Roblox Studio. This is a huge vulnerability to developers. Since the scripts are running on your device and not Roblox’s servers, it can connect to a ip getter using http and then it can return your ip, region, isp, and more, all from your device. It can then be sent to a Discord webhook.
Here’s how to prevent getting your ip taken:
Don’t enable http service unless you have a specific and reasonable purpose for it.
Use “Find/Replace” tab in Roblox Studio to search for all http instances in scripts. Exterminate scripts that you don’t know.
Check free model scripts for http instances. Under no circumstance should a free model have http service included in it.
Use a VPN. Probably one of the most useful tips for not getting your ip taken in general.
Don’t run scripts from other developers without checking.
This is a short tutorial so lmk if you would like me to include anything else.
Plugins tend to use HttpService, for example Reclass to fetch the API dump.
For most people, exposing an IP isn’t much of an issue. If you happen to be among the few with risk on professionally targeted attacks (and not script kiddies) should use a VPN to cover up their breadcrumbs.
Just going to say this now: Any website you visit in your life, including the DevForum right now, has access to your IP. The only difference is those websites might have access to account details and credentials, where a little HTTP IP logger just has access to your public IP. As far as in live servers, that runs on Roblox’s servers, so it uses Roblox’s (again) public IP addresses.
Additionally, they can’t really do anything with your IP. Sure, this account’s IP address is X. But what are they going to do with your geolocation? Sell that on the black market? Most APIs use IP addresses for rate limiting, too.
@2222l1@Doomcolp I didn’t find out about this, but one of my friends did. They said they found out how to grap IPs. Didn’t believe him until I saw my region.
@CommanderRanking@xChris_vC People having your IPs isn’t much of an issue unless the person who has your ip is a 12 year old and you are really popular and a target of many people.
I’m sure not many 12 year olds know how to self-host an IP logging API that’s connected to a discord webhook… and using IP loggers without consent for malicious purposes like targeting people, big names or not, would be a cybercrime.
It is the literal definition of a botnet (which are HIGHLY illegal) if it is being used maliciously, and if it spreads, since you’re using “private computers without their knowledge to run malicious code to gather (personal identifiable) information in large quantities,” and really the only reason someone would target someone would be for a ransom. So uh yeah, any idiots thinking about doing this might want to think again.
wait??? people actually still get scared if their ip is logged??
god is it like 2018 again?
i swear everyone knows by know if u reset ur router, ur ip is reset, and even then IT DOESNT MATTER, your ip if logged aint gonna reveal ur address or nothing.
An IP is something you shouldn’t generally share with people as people can possibly find vulnerabilities… and I posted this mainly because I found out about this IP grabbing method…
I have been doing full stack web development for 4 years now, and I think I know what I’m talking about. Sure, explaining an internet crime isn’t necessarily going to stop anyone. Even though you get taught in school not to murder people, people still do. But I’m not explaining that to the people who are already doing it. I’m explaining it to the people who are thinking about doing this.
In real life, you’re going to face serious consequences, and although IP logging isn’t necessarily a crime in itself, using hundreds, if not thousands of remote computers who’s owners have no idea you’re accessing them to all run your “malicious information gathering software” is.
First of all, you down played the security risks of malicious scripts, saying there is a low chance of it happening.
Unfortunately, you are extremely wrong on that, there’s hundreds of toolbox items and even plugins that do this very thing.
Second of all, when I call you out, you go “I know what I’m talking about, I’ve been doing this for 4 years” without saying anything related to proof at all.
Third of all, you keep talking about laws, but in countries like Russia, you have no consequences.
Please quote where I said there is a low chance of it happening. Also, please link only one of the assets/plugins that do this, if it’s so “popular.”
And as far as countries like Russia who may not have as strict of laws when it comes to cybercrimes, many countries still have agreements in place that allow them to cooperate on cybercrime investigations and prosecutions outside of their borders, one example being the USA and Russia. So I don’t know where you were going with that…
Don’t know how I’m silencing all debate when I’m literally debating with you, and I’m definitely not the one who needs to provide proof when you’re the one saying
Unfortunately, you are extremely wrong on that, there’s hundreds of toolbox items and even plugins that do this very thing.
And while I appreciate the “proof” you provided, if you actually read the code, it isn’t even connected to an API… it just sends your GameId to a Guilded webhook.
Anyway, I’ll be the bigger person and just end this, because it’s getting kind of boring repeating the same information over and over, just going in circles.
