Being careful when you run scripts in studio…

Recently, I discovered you can steal people’s IPs with scripts ran in Roblox Studio. This is a huge vulnerability to developers. Since the scripts are running on your device and not Roblox’s servers, it can connect to a ip getter using http and then it can return your ip, region, isp, and more, all from your device. It can then be sent to a Discord webhook.

Here’s how to prevent getting your ip taken:

  1. Don’t enable http service unless you have a specific and reasonable purpose for it.
  2. Use “Find/Replace” tab in Roblox Studio to search for all http instances in scripts. Exterminate scripts that you don’t know.
  3. Check free model scripts for http instances. Under no circumstance should a free model have http service included in it.
  4. Use a VPN. Probably one of the most useful tips for not getting your ip taken in general.
  5. Don’t run scripts from other developers without checking.

This is a short tutorial so lmk if you would like me to include anything else.

10 Likes

Who would this affect? Also how did you find out about this?

1 Like

hmm well if I were to keep it, I would check the URL endpoint but idk if that’s a good idea and all

Like @2222l1 said, how did you find this out? Did this happen to you or someone else? Or did you just think of it (I mean it makes sense)

1 Like

Plugins tend to use HttpService, for example Reclass to fetch the API dump.

For most people, exposing an IP isn’t much of an issue. If you happen to be among the few with risk on professionally targeted attacks (and not script kiddies) should use a VPN to cover up their breadcrumbs.

3 Likes

But aren’t they usually very broad?? I heard that they usually get the country and maybe city but not general area (is that right?)

1 Like

I’m sure a lot of coders know about this, but doesn’t HTTPs Service only work on the server, correct me if i’m wrong

1 Like

Just going to say this now: Any website you visit in your life, including the DevForum right now, has access to your IP. The only difference is those websites might have access to account details and credentials, where a little HTTP IP logger just has access to your public IP. As far as in live servers, that runs on Roblox’s servers, so it uses Roblox’s (again) public IP addresses.

Additionally, they can’t really do anything with your IP. Sure, this account’s IP address is X. But what are they going to do with your geolocation? Sell that on the black market? Most APIs use IP addresses for rate limiting, too.

6 Likes

In Roblox Studio, your machine acts as the server and makes the requests itself.

1 Like

@2222l1 @Doomcolp I didn’t find out about this, but one of my friends did. They said they found out how to grap IPs. Didn’t believe him until I saw my region.

@CommanderRanking @xChris_vC People having your IPs isn’t much of an issue unless the person who has your ip is a 12 year old and you are really popular and a target of many people.

Hope this info helps.

2 Likes

I’m sure not many 12 year olds know how to self-host an IP logging API that’s connected to a discord webhook… and using IP loggers without consent for malicious purposes like targeting people, big names or not, would be a cybercrime.

It is the literal definition of a botnet (which are HIGHLY illegal) if it is being used maliciously, and if it spreads, since you’re using “private computers without their knowledge to run malicious code to gather (personal identifiable) information in large quantities,” and really the only reason someone would target someone would be for a ransom. So uh yeah, any idiots thinking about doing this might want to think again.

1 Like

Run a black box on your network.

You will notice hundreds of unique IPs connecting to it, constantly probing for back doors.

Your little threat here in the DevForum does nothing to stop them.

1 Like

What do you mean?

goofy char limit

wait??? people actually still get scared if their ip is logged??

god is it like 2018 again?

i swear everyone knows by know if u reset ur router, ur ip is reset, and even then IT DOESNT MATTER, your ip if logged aint gonna reveal ur address or nothing.

An IP is something you shouldn’t generally share with people as people can possibly find vulnerabilities… and I posted this mainly because I found out about this IP grabbing method…

I know but with today, it isn’t really the end of the world.

Also you can just turn off your router, wait 15 minutes, turn it on then new ip.

3 Likes

I have been doing full stack web development for 4 years now, and I think I know what I’m talking about. Sure, explaining an internet crime isn’t necessarily going to stop anyone. Even though you get taught in school not to murder people, people still do. But I’m not explaining that to the people who are already doing it. I’m explaining it to the people who are thinking about doing this.

In real life, you’re going to face serious consequences, and although IP logging isn’t necessarily a crime in itself, using hundreds, if not thousands of remote computers who’s owners have no idea you’re accessing them to all run your “malicious information gathering software” is.

First of all, you down played the security risks of malicious scripts, saying there is a low chance of it happening.

Unfortunately, you are extremely wrong on that, there’s hundreds of toolbox items and even plugins that do this very thing.

Second of all, when I call you out, you go “I know what I’m talking about, I’ve been doing this for 4 years” without saying anything related to proof at all.

Third of all, you keep talking about laws, but in countries like Russia, you have no consequences.

Please quote where I said there is a low chance of it happening. Also, please link only one of the assets/plugins that do this, if it’s so “popular.”

And as far as countries like Russia who may not have as strict of laws when it comes to cybercrimes, many countries still have agreements in place that allow them to cooperate on cybercrime investigations and prosecutions outside of their borders, one example being the USA and Russia. So I don’t know where you were going with that…

Sorry, but the proof is on you. Rather than silence all debate by saying “I know better” and “give me proof”, you should be the one with the proof.

However, I’m going to give you some anyway.

It’s so common, there’s a recent post about this: Reverse-engineering malicious plugins #1

Don’t know how I’m silencing all debate when I’m literally debating with you, and I’m definitely not the one who needs to provide proof when you’re the one saying

Unfortunately, you are extremely wrong on that, there’s hundreds of toolbox items and even plugins that do this very thing.

And while I appreciate the “proof” you provided, if you actually read the code, it isn’t even connected to an API… it just sends your GameId to a Guilded webhook. :skull:

Anyway, I’ll be the bigger person and just end this, because it’s getting kind of boring repeating the same information over and over, just going in circles.