With the Egg Hunt event earlier this year, it became quite annoying that players seemed to have the ability to track us through a browser extension despite having our privacy settings set to “No one” or “Friends”.
I would greatly appreciate this bypass being removed so that the privacy settings are respected.
I’ve been aware of the 50 blocked user limit for a long time now, but I never understood why. If a player wants to block more than that amount, why not allow them? Limiting it could be a safety issue for there user where allowing it seems to have little to no repercussions.
Discussion related to changing the number of blocked users should be directly to appropriate threads and not here. While an option does not represent a long term solution
I’ve also been advised that this exploit has existed in SynapseX for quite some time. Even if this Chrome extension used is fixed to allow Opt Out, it does not actually solve the issue at all given it’s use in Synapse or generally reuploaded.
Basically all it does is look up avatars but people like Albert have very common avatars so it is not easy to track them and I personally do not think that it tracks the avatar headshot in the server but instead it looks up your profile.
I agree this is an issue on the platform, specifically to those with a relatively large following.
You suggest removing the avatars completely off the server list, but I don’t personally feel this is the best approach to this issue. Instead, you could remove the avatar image based on privacy settings - so if the follow settings are friends only, you only show the real avatar to friends of the user.
Otherwise, if they’re not friends, return a default or randomized avatar to replace their real avatar.
This would allow Roblox to keep the website feature and fix the issue you’re describing here.
Since the publication of this report publicly, people have suggested alternate methods; these are all fair options and should be evaluated. Such as if someone has the exact same avatar, they share the same avatar image URL or if their privacy settings was set to none that it is set to a generic avatar (which follow the same idea as before).
The idea I suggested I expect not to be the final solution, it was only a quick idea at the time of the original report and to ensure that the words used by Roblox and the HackerOne team could not be affected by any changes I made, the report is exact as the report with only it being split where there was a line break.
I looked at the extension, and it seems a player creeping around another player must also know which game said player is playing in.
If said player plays a completely different game after being creeped on for a bit, then this method is rendered mostly useless, ‘mostly’ as in the creep could still search through the server lists of each popular game one-by-one, but that is pretty tedious to do, and there’s a chance the player is not playing any of those games.
This does not excuse the issue at hand, users should not be expected to simply hop games and even that does not actually fix the issue. One could theoretically search every server of every game using this exploit until that user is found; or as you could automatically search the top 100 games on Roblox and do it that way. In places like, events as @Wsly suggested before it narrows the gap further.
This privacy setting should be respected, not require people to hop games because someone stalked them (a violation of the Community Rules).
Roblox’s avatar cache is shared between all users, and has been for years. That’s why if there’s a mistake in how one user generated their avatar, or they ended up wearing an item which eventually got updated, wearing the same outfit will give you the same on-site avatar image… As long as nobody is sly enough to repeat that avatar just to redraw and remove it.
So while it should be possible to do this with a generic avatar, you really need to make sure to dot the i’s and cross the t’s. I’d imagine Albert may have still been affected due to not going into Studio and copying the details which aren’t possible to notice from the avatar image, such as the fact that the two users I linked have legs which are the Medium blue BrickColor.
I believe I know why people keep using this in present day, and the extension hasn’t been removed.
Seen in KonekoKitten’s video, the extension was talked about with its original creator. The creator stated that it wasn’t originally made for how people are using it today (malicious or harmful).
In this case I do not believe that Roblox has a fighting chance in taking the extension itself down. The only case it has is the plugin is being used for malicious intent. But if the creator of the plugin hasn’t created it originally for malicious intent, then that case is more or less lost.
It doesn’t matter if they take the extension down or not, that doesn’t solve the problem it just cuts down on how many people are abusing this privacy issue.
Hi, I found a way around this issue by dressing up as a “bacon hair” as Roblox caches images and this ends up rendering this “exploit” useless. I’d still love to dress normal, though.
Today I was stalked by multiple users throughout the day, as I was trying to server hop. When I rejoined a new server, they would follow me. Usually this isn’t a problem, as I can turn off my following and at the very worst, block them, but these users used rosearcher to completely bypass that and follow me into every server I went into. This was extremely annoying and really ruined my experience, as they would try and ruin my gameplay as much as they could.
As much as this would be useful for others, I feel like it would leave developers with a disadvantage. What if a user who is unable to update their privacy settings finds a major bug and you need to join them to further investigate?
My point is, while a feature like this is definitely helpful, in some situations it’ll make a developers life more difficult. Simple solution: give the developer the ability to search for players in their game while still respecting privacy settings for other users.
Is there still no update to the situation regarding this extension? This infringes upon the privacy settings of absolutely any user on the site, and while it may have some “innocent” uses, it has lead to consistent harassment to developers, youtubers and regular users alike, all of which are being targeted by other members of their respective communities for personal gain or otherwise.
It’d be one thing if it was an official feature (like suggested above) or at least respected privacy settings, but it can’t and won’t do that due to its methodology. If my privacy settings say that no one should be able to directly join me, that should hold true throughout the platform.
Please, PLEASE patch this extension. Once again, user privacy settings should be respected.
At this time, people who have lots of following should make use of alternative accounts, not play games on their main if they’re worried about a following base. Why?
If Roblox is to patch this feature, they’re going to break my only way of telling outside of roblox, that a player is in a game. If Roblox was to provide an http api where I can ask Roblox if a certain userid is playing gameid/jobid to respond with true or false, then I’ll be fine with this getting patched.
I need a way to tell if a player is playing the exact game/jobid to ensure that nobody can send malicious actions on a users account when they’re not even playing a game or consenting to said action.
Why? Say you have a program on your computer that has its own webhook features that are interfaced to a client portal. You want to have Roblox play around with said webhook so you ask players to link ‘webhook features’ to ‘roblox account’ and then allow any developer on Roblox to ask your service to fire this ‘webhook feature’.
How do you know if a player really requested this action? I would of checked from a roblox.com api if a playername is in said game, Roblox patched that. I would of checked from the list of thumbnail links and compare it to see if they match, that’s this ‘bypass’. There’s practically no other way of checking from a roblox.com api or some api token to see if a player is playing the exact game the request is coming from.
If Roblox was to patch this and not offer a way of letting legitimate use of trying to check if a player is in a game, I have no choice but to hault this project over fears that other malicious users/exploiters could send in fraudulent/malicious requests to my webserver that my webserver can’t even verify if its legitimate or not.