Issue A: Any user entry method
Related: Bypass of Roblox privacy settings using "servers my friends are in" sort
Via a publicly available browser extension or by other means, it is possible to join any Roblox player in a public server irrespective of privacy settings through only their UserID or username and the game they’re in.
This bug has existed for a long time without resolution.
Repro:
Using the API https://www.roblox.com/games/getgameinstancesjson?placeId=${placeId}&startIndex=${startIndex}
find and join the user from their avatar headshot. This can be done either via readily available Chrome extensions, exploitation software or can be done with a self made tool.
As a result of successful exploitation of this issue, players can directly harass other players and may result in unintentional disclosure of confidential information in relation to Roblox Confidential Information or non Roblox company Confidential Information.
Original HackerOne Report
Hello Mini Modders, DevForum staff and Roblox engineers,
The following report, despiste any language used does not constitute as an exploit report.
As part of responsible disclosure, this report was originally sent to HackerOne and was considered “that it doesn’t pose any security risk” according to that report. This report is pending disclosure.The report below is exact to that HackerOne report, as well as the original report including two issues, I’ve decided to split this report into two reports. This report is Issue A - Any user entry method.
Summary
Via a publicly available browser extension or by other means, it is possible to join any Roblox player in a public server irrespective of privacy settings through only their UserID or username and the game they’re in.
Recommended Fixes
Remove the ability to view people’s avatars in the server list, just a list of servers with their capacity.
Requirements
The exploit can be done on one or two devices and thus offer different requirements.
If you are using two devices:
- For the attacker:
- A PC that Roblox is installed and supported on. (Windows, MacOS)
- Chromium based browser
- The Chrome extension
- A Roblox account that is not moderated for that specific game or the Roblox platform as a whole
- For the target:
- Any device which a player can play Roblox
- A Roblox account that is not moderated for that specific game or the Roblox platform as a whole
If you are using one device:
- For the attacker:
- A PC that Roblox is installed and supported on. (Windows, MacOS)
- Chromium based browser
- The Chrome extension
- A Roblox account that is not moderated for that specific game or the Roblox platform as a whole
- For the target:
- The Windows 10 UWP application from the Windows Store
- A Roblox account that is not moderated for that specific game or the Roblox platform as a whole
Reproduction Steps
(This steps are specifically designed for one computer to reproduce, although same steps can be taken on two devices.)
- Steps for target
- Install Windows UWP application, log in; generally meet the requirements.
- Open up the Windows 10 UWP and log into the target’s Roblox account as normal.
- Go to the settings and set the “Who can join me?” to “No one”. (Setting cog at the top right, settings, privacy) See: https://i.imgur.com/WhRymZs.png
- Join any Roblox game, games with a larger player base can help prove the point further. Be aware that you cannot stay AFK for more than 20 minutes.
- Steps for attacker
- Install a chromium browser, Roblox, log in, install the extension; generally meet the requirements.
- Go to your target’s user profile and validate that you cannot join them normally (There is no “Join Game” button or tells you what game they’re in) See: https://i.imgur.com/bfZ2qzN.png
- Through using Issue B (if this applies) or using any form of OSINT, find the game the player is in.
- Enter the target’s Username or UserID and press their respective button, the program will then run the exploit. If successful, you’ll see something like this https://i.imgur.com/pDD7BXt.png
- Press “Join”, you will then begin to join the target’s server as normal. Once done, you’ll be in the same server, see https://i.imgur.com/Ydcwin5.png
How the exploit works
Working from end result to the start, I shall attempt to explain how this vulnerability results in the outcome you see.
[Start of main vulnerability issue]
The exploit grabs the JSON file Roblox uses to show the server list, that URL is https://www.roblox.com/games/getgameinstancesjson?placeId=${placeId}&startIndex=${startIndex}
in which ${placeId} is an integer which shows the target’s current game ID (Games use the following URL: https://www.roblox.com/games/GameID/GameName) and where ${startIndex} is an integer which shows which page in the server list to show (There is a limit to the number of servers Roblox shows to).
This program then searches through the JSON file, starting with startIndex of 1 and going up; it checks the avatar of each user (This uses the format https://tr.rbxcdn.com/Hash/48/48/AvatarHeadshot/Png) and checks if this is the same URL as the target’s avatar. If the target is found, the program shows just that server (See: https://i.imgur.com/pDD7BXt.png); otherwise it will show an error (See: https://i.imgur.com/BASrVEM.png).
[End of main vulnerability issue]
In order to grab the target’s avatar, the attacker uses the target’s UserID. By using the URL, https://www.roblox.com/headshot-thumbnail/image?userId=${userId}&width=48&height=48&format=png
in which ${userId} is the target’s UserID, the size of the png file is the same size as the in the server list.
If the user did not provide the target’s UserID but rather their username, the program will visit https://www.roblox.com/users/profile?username=${name}
where ${name} is the target’s username, this will redirect them to the user’s profile (User’s profile standard format is https://www.roblox.com/users/UserID/profile) in which their UserID can be collected. There are legitimate uses for this outside of this exploit.
Impact
As a result of successful exploitation of this issue, players can directly harass other players and may result in unintentional disclosure of confidential information in relation to Roblox Confidential Information or non Roblox company Confidential Information.