Better account security

As a Roblox developer, it is currently too hard to stay safe on Roblox’s website.

Roblox is a multi-millionaire company, that does not plan it’s security well enough.
Too many users get exploited by either being in-game, where someone exploits the place out, yes Roblox has tried to address issues thereby using FE (Filtering Enabled).

But website security has been the same ever since the website was made.
Roblox stores passwords encrypted in cookies, but the cookies OVERRIDE any extra layer of security you try to add.

Such as app authentication, e-mail authentication, the PIN you name it.

If you are unlucky and get hijacked, you are lost, until you figure out you lost EVERY limited and or R$.
Then if you have already gotten restored once, you are no longer lucky enough to be restored, even though, you have evidence of what users have done the issue.

Roblox keeps saying “this is a one-time thing”, and that they don’t have any restore tools.

The questions are

1. How are R$ and other items restored if they don’t have a tool to restore them.
2. Are they simply issuing new items and R$ to get them back.

Roblox should ensure that the passwords aren’t stored with a one-time cookie, where everyone can bypass ALL security options just by copying the cookie into another browser or computer.

I have suggested before that enabling pin on all sales and purchases helps somewhat.
But then again, some users will argue that it will be annoying to do mass trades and such.

The real question is, is security being taken seriously or is it just being kept as is, because users use the systems almost like a botnet and Roblox earns money?

If Roblox is able to address this issue, it would improve website security for users who might have had an issue, where they installed an extension by accident, and simply lost it all a second time.

There’s a misunderstanding of what a “security cookie” is. It’s not like an encrypted password, it’s just a token like are used in every other service. Discord has a token, Roblox has a token, and every other service you log into has a token.

For all of these services, if your token is yoinked, then your account is compromised. There is only so much Roblox can do before the burden falls on the user to be educated and not give out their token to phishing scams.

With that said, I agree on expanding the usage of pins.

If roblox really wanted to secure the security cookie, they would need to connect it as a one time cookie, that is back tracking to 1 ip only.
So if you go into a different machine, on a different network, it would get refused right away.

It might be hard to make, but it should not be impossible for such a big company.

If you compare the IP with home routers, they use IP lock, where if you change IP too fast, it locks you out for 10 minutes, unless you jump back to the same IP you logged in on.

If you then continue to try and push the security session cookie, it will force log you out, and make sure you type in the correct password, or you can use the forgotten password feature.
There is many things you can do to improve security on all devices.

Roblox has expressed that the PIN is not intended to be a security feature and they are working on 2-factor authentication which expresses proper security. They have - and are working on - better account security right now. Refer to the High-Level Roadmap for details.

image1351×65 7.23 KB

I know this, and it failed.
I have just experianced this, and roblox’s recovery team says they only have a one time restore, and they don’t have restore tools.

The two way authenticator is a flop.
It didn’t help at all.

Do keep in mind that the keyword here is beta. 2FA is in a Closed Beta, not a full release. It is still lacking many of the end goal features that would make it worth facing a public rollout. That’s why the category and closed beta exist. If you’re in the closed beta, you can provide feedback regarding your experience using 2FA so far and make feature requests or reports.

I’m confident enough to say that the engineers working on 2FA are not support staff and have nothing to do with the recovery process of lost or stolen items on your account. That’s an entirely different matter which, if that’s the primary complaint of your feature request, should be the focus here. There’s a bit too much flavour text in the original thread to discern what exactly you want; it’s too broad.

2FA can’t fail if it has barely even started. I think you’re undermining engineering’s efforts to provide better account security a little too much here and getting their role confused with support’s role in inventory recovery. If you’re in the beta then you should know this if you’re keeping up with threads and the discussions they’re raising, including how they want to expand on account security and authentication in the future once they meet their current goals.

I’ve been in the beta for a long time.
I see no real feedback from staff.
All i see is the user’s discussing the information.

Yes it’s closed beta, and that’s where the 2FA concern may lay, but 2FA isn’t the only way to prevent access to accounts.

My OP has 3 cases.

1. Recovery plan only leaves for 1 recovery, why does it not let you recover stolen items as long as proof is sufficient.

2. Why hasn’t Roblox made a recovery tool yet? Roblox has operated since 2005 (old name), officially 2006, there should be tools to ban the abuser, and recover anything sold to that user, and then manually recover the rest, or have a restored user to the same day, and that would restore the r$ used by innocent users, who purchase the “low” cost the abusers put your items up for.

3. Security of the account beyond the 2FA, where it is currently only relaying on a session cookie, that can be stolen and re-used until the session is closed on Roblox’s side.
   If 2FA was working, it should have worked for me, but sadly if it only covers the login page, it does not help at all.
   The login page can be covered by e-mail, authentication app, Facebook login, etc.
   But the main problem is when the user is already logged in.
   Where plugins that have gained access to read in any way on the page.

Yes, users can have issues when they install extensions in browsers, and it’s the website’s job to keep the users safe, even if they accidentally install an extension, which could hijack cookies.

How will this account for the majority of the Roblox platform, which are mobile users? It’s not uncommon for mobile users to be switching between different WiFi and phone data, all with different IPs.

It would be tedious for users to continually log in, possibly dealing with typing a long password every time or doing a weird captcha. All of this for the minority of users that fall for a specific kind of phishing scam.

???

That’s not how cookies work.

For the rest of your issue, this will be solved when Roblox adds the new 2FA to more actions around the website. In an ideal world you cannot transfer huge Robux amounts, change account settings, or do other sensitive actions without sending a recent 2FA code to the relevant API endpoints.

I can appreciate it’s been a terrible experience for you, but I hope it has been an insightful lesson in practicing good security habits. e.g.:

• Don’t reuse passwords
• Rotate old passwords frequently enough
• Add 2FA to accounts (e.g. your email) that would allow an attacker to compromise more accounts
• Don’t use phone number for 2FA, it’s subject to SIM swapping
• Don’t install software/extensions/etc willy-nilly, especially ones that are Roblox-related

Pins are not a security feature AFAIK.

I spoke with an engineer on this topic, it is meant solely has a parental control feature, ultimate goal is that when 2FA is enabled; it replaces pins entirely on any sensitive controls i.e. group transfers, trades, group payouts, etc.

This is useless. A cookie is a session, it does not store your password, it stores session data. Each time you make a request to the web server which is most likely AWS, your cookie is sent to the server, and the server (usually) will send a/the cookie back.

This lets the server validate that you’re the person logged into the account that session is associated with on that browser. Cookies store minimal data too, usually just an account identifier which is unique (such as your user id.)

This can only compromise an account if you share your cookie. Every platform uses cookies for sessions, albeit some platforms use JWTs, but they have downsides.

The big issue is that extensions that is made by the same person on chrome store and firefox store can be compleatly different i have learned…

And the fact that i hate how Firefox works…

Other than that, i always follow the steps of good usage of internet and it’s password security protocols.
Sadly trusting the same extension on both stores was a mistake…

But the issue at the end is still that roblox has no way of restoring after the one and only restore.
Yes the bad person get banned, but you don’t get anything back.
I feel ripped off.