As a BloxCord user and an owner of a 500K+ member group, I’ve never ran into issues with data being used misproperly, all data provided is very helpful to keep track of my game and never has it ever been used otherwise. Most the data collected is for the developers eye for they can see how much time specific players are spending in game, who’s engaging, etc. And many other stats Roblox developer stats don’t provide currently, I honestly think you’re mistaken as I’ve never had such issues using Bloxcord. (Been using BloxCord in my game since 10M visits now at 25M and it’s been an amazing tool.)
1 Like
This was an issue 6 months ago majority of the staff was toxic and threatened to leak data from another individual user.
I would still have proff but I don’t anymore as I didn’t take much note of it until I recently saw this post again.
The staff are unprofessional here consistently arguing and that’s before they want to leak the data amoung other staff members from the individual.
This bot is good if you’re not in their community server but if you are in their server then this service isn’t for you.
I use a simple and alternate service which is called rolink which there is only 1 support staff which is the developer and he is friendly.
And has probably the same or more features as this
We are unaware of any toxic/rude staff. Getting moderated due to breaking our community guidelines is not grounds of anyone hating you.
Further, no staff have access to any data on our customers.
Please do not make false accusations on our free community resource just because you fail to follow insanely simple and basic community rules.
On an ending note, the developer forum is not a place to argue; I suggest you move on and understand why pinging multiple support staff constantly when they don’t answer in a millisecond is excessive and against our spam guidelines.
Sorry bud. But you got the wrong guy. I never consistently pinged people for support
It seems that the bot is down. To anyone reading this message and wishing to use the bot, unless someone reply’s otherwise, do not bother adding this bot.
I tried to add this to my server, but when I click the invite link, it says page cannot be reached. When I go to join the support server, it says the invite is invalid or has expired.
BloxCord was discontinued about three weeks ago. It’s operating privately for now while we create many more features. It will be open to the public in the future.
I am sure, they would most likely request to use your data and no personal data will be leaked. Other places might do this however I can ensure you bloxcord is not one of those places.
Yet again, I highly suggest reading this message and announcements in the bloxcord server before trying to verify.
We all hope bloxcord resume but until then you may not be able to verify.
I think bloxcord has been updated! 
very cool. I am not sure you know I was removed from the discord server, I do not know why however the website will not take me to create my organization (it also wiped all data which I understand) how can I create my organization? It wont do anything at the moment!
The new BloxCord is completely different from this post. The new BloxCord is not released yet. As per our records and our mission to protect the data of children, you were correctly banned from all of our properties for being under the age of 13. Please do not ask to appeal until you turn 13. All of your BloxCord data was deleted as we are not permitted to process or access your information unless you are over the age of 13. Have a great day.
I do not understand…
You deleted all my bloxcord data because you think I am underage. What things will I need to do to make you see the truth.
Just as a point of question, whilst I’m sure you are indeed encrypting data at rest using AES, your statement about keeping the database on the same host as the server might negate the impact of that encryption.
If your web server or bot is somehow compromised, then an attacker could use the same credentials that they’re using to log into the database and steal customer data. A better approach might be creating a separate, private API server which checks the database whilst still checking that the bot / frontend server are authorized to see that data.
In the 2020 version of BloxCord, even though everything was on one machine, encryption at-rest is still important. In case you misunderstood, the entire disk is what’s encrypted, not just the database contents. (This topic has info from Aug 2020 and we’re about to roll out a dashboard soon which has completely different infrastructure than the old bot project).
Secondly, while I understand where you are coming from, your idea about an API server on the host of the database instance is not ideal. Even though it could work for small applications with not a lot of traffic, it certainly won’t work when you are trying to get every drop of performance for the cost of running a production project. Here’s why:
-
First of all, you can literally just put the database on a private network with a similar concept to a home network, example:
db-host=10.1.1.7,frontend-api=10.1.1.2→ The public cannot access the database through normal authentication as it is only on a private network. -
The API can easily be overloaded because of large data transfer and kill your product’s efficiency.
-
I’m sure there are many other reasons why that’s a bad idea or useless in general.
The best solution, which the coming-soon version of BloxCord employs, is that of using firewall(s) such that any connections with IP addresses that don’t belong to a BloxCord server are blocked. The database drive/database should remain encrypted at-rest regardless of if your network is sealed off and is just better security practice. Better safe than sorry.
1 Like
I agree with default disk encryption as a security precaution against datacenter compromise - I just don’t think it should be a key selling point for the applications security. My point is that the the most likely avenue a threat actor would take isn’t against your physical disks, but instead against vulnerabilities in the server (insecure credentials, vulnerable software, etc) which might allow them to gain persistence and elevated credentials on the box. In this situation, encryption or not the data can be accessed.
Relevant xkcd
Regarding having a separate, private API which is exposed only to your frontend container and manages database requests, it’s a matter of engineering as to how reliable it is and if it meets the performance requirements of your system. I’ve engineered corporate database-backed applications before and I haven’t found issues with having an internal API experience exceptional load when the frontend has not also experienced the same issue.
Isolating your environment via containerization is absolutely a good way to go about this (I assume you’re using Docker here) and that’s exactly what I was getting at previously. This is different to hosting it on localhost which implies the services share the same loopback interface.
This is what I’m assuming you’re talking about here:
Here, only the “public” docker network is exposed to the Internet, whilst the “private” docker network is linked to the “public” containers so they can access it, but nobody else can. This is the same as what you were getting at with a firewall.
This works well, however what happens if an attacker exploits some vulnerability in your web server engine (i.e. an express vulnerability, if you’re using Node.js) and gets access to your database from there? It’s exceptionally unlikely, but if your application becomes popular to the same degree as Bloxlink or RoVer then you will absolutely have motivated people trying to access or modify your secrets.
I think the ideal solution, depending on where you’re hosting, would be to adopt a cloud-native architecture which would solve most of these issues if you’re hoping to have a serious production application. Here’s an example diagram of what you could cook up in AWS:
As long as you are locking down the IAM permissions for the services, this almost entirely mitigates an attacker pivoting around your system to access sensitive details.
I just don’t think it should be a key selling point for the applications security
In the 2020 version, this is one of the only things that could be said about security. Since it was only a Discord bot at that time, it was a precedent that you can’t just access someone else’s ranking through your server’s context. It was mentioned because a lot of our competitors at the time were being “cancelled” due to storing .ROBLOSECURITY cookies in .json or .txt formats like this: GUILDID=cookiehere;GUILDID=cookiehere. We didn’t want anyone thinking we store confidential information unencrypted in text files. Furthermore, competitor ranking services were claiming to encrypt .ROBLOSECURITY cookies in “SHA256” and if you know you know.
This works well, however what happens if an attacker exploits some vulnerability in your web server engine (i.e. an
expressvulnerability, if you’re using Node.js) and gets access to your database from there? It’s exceptionally unlikely, but if your application becomes popular to the same degree as Bloxlink or RoVer then you will absolutely have motivated people trying to access or modify your secrets.
This all just depends on how you’re coding it. What you said can be said about any other application, like your RoVer or Bloxlink example, it’s all about human error such that you leave a hole in your authentication flow. Trust us, we’ve got years of experience in WebServer security and can assure you that unauthorized access to data will not occur.
As long as you are locking down the IAM permissions for the services, this almost entirely mitigates an attacker pivoting around your system to access sensitive details.
Absolutely correct. We have offered bounties to some experienced web developers to try to penetrate our IAM flow in our current beta testing phase. Today marks the 5th day with no success.
Hello, Watercoolings.
My roblox group was recently raided and had members ranks changed we are “Atlantic Airways” please can we confirm all data from the old bloxcord has been deleted as our ranking bot ranked a member, only I have access to be in the bot account but bloxcord did have the token so it could be possible someone accessed data. If you know anyone known as “peyton” they are the person responsible for the raid.
The atlantic team just need to confirm if you delete all data properly so then we can rule the fact it was from someone at bloxcord.
The public BloxCord version which you are referencing was discontinued months ago. The discontinuation resulted in all data being deleted, including all organizations and Roblox-Discord Verifications. Even if you claim the cookie was taken before the discontinuation, BloxCord does not allow members or administrators (including the organization owner) to view the on-file .ROBLOSECURITY cookie after they successfully login on the dashboard.
It is pretty much impossible for BloxCord to have caused the raid on your group. Was your account in good hands? Did you use a password that you use for a different account/site? Does someone in your leadership team have access to the cookie that you don’t know of? Could someone have ranked the attacker using the BloxCord dashboard when BloxCord was still up?
This seems more of an internal security issue than a BloxCord issue. Regardless, we appreciate you bringing this concern up directly.
Alright, thanks for the response as far as I am aware none of my team had access to the account but will keep looking!
I think BloxCord is very good service with perfect security threads. The BloxCord website have cool design and everything function for now in Beta release.