Bypass of Roblox privacy settings using getgameinstancesjson API

Issue A: Any user entry method

Related: Bypass of Roblox privacy settings using "servers my friends are in" sort

Via a publicly available browser extension or by other means, it is possible to join any Roblox player in a public server irrespective of privacy settings through only their UserID or username and the game they’re in.

This bug has existed for a long time without resolution.

Repro:

Using the API https://www.roblox.com/games/getgameinstancesjson?placeId=${placeId}&startIndex=${startIndex} find and join the user from their avatar headshot. This can be done either via readily available Chrome extensions, exploitation software or can be done with a self made tool.

As a result of successful exploitation of this issue, players can directly harass other players and may result in unintentional disclosure of confidential information in relation to Roblox Confidential Information or non Roblox company Confidential Information.

This is dealt with by blocking the player who is harassing you; they can’t communicate with you that way.
However, this should be fixed. I would just say don’t let blocked users be in the same server, because searching users is still 100% better for moderation.

This issue bypasses blocking as well there is a limit of blocking 50 account. Not a fix.

Good to know. That makes the issue more severe then

With the Egg Hunt event earlier this year, it became quite annoying that players seemed to have the ability to track us through a browser extension despite having our privacy settings set to “No one” or “Friends”.

I would greatly appreciate this bypass being removed so that the privacy settings are respected.

I’ve been aware of the 50 blocked user limit for a long time now, but I never understood why. If a player wants to block more than that amount, why not allow them? Limiting it could be a safety issue for there user where allowing it seems to have little to no repercussions.

Discussion related to changing the number of blocked users should be directly to appropriate threads and not here. While an option does not represent a long term solution

I’ve also been advised that this exploit has existed in SynapseX for quite some time. Even if this Chrome extension used is fixed to allow Opt Out, it does not actually solve the issue at all given it’s use in Synapse or generally reuploaded.

Big issue - thanks for raising it. Blop could be implemented to hide info while still storing the image behind a “wall”.

Basically all it does is look up avatars but people like Albert have very common avatars so it is not easy to track them and I personally do not think that it tracks the avatar headshot in the server but instead it looks up your profile.

I agree this is an issue on the platform, specifically to those with a relatively large following.

You suggest removing the avatars completely off the server list, but I don’t personally feel this is the best approach to this issue. Instead, you could remove the avatar image based on privacy settings - so if the follow settings are friends only, you only show the real avatar to friends of the user.

Otherwise, if they’re not friends, return a default or randomized avatar to replace their real avatar.

This would allow Roblox to keep the website feature and fix the issue you’re describing here.

This is not the case, even users of the exact same outfit will have a different image URL. Albert is still affected by this issue.

Take user A: robloxrules56784 - Roblox and User B: robloxman4570 - Roblox. Despite both users being the exactly the same, User A has the profile URL of https://tr.rbxcdn.com/cda7a973dee38684d4f6f6aa017abc81/150/150/AvatarHeadshot/Png and User B has the profile URL of https://tr.rbxcdn.com/71aea8b373539bc4d45d70f1eb37395e/150/150/AvatarHeadshot/Png

Since the publication of this report publicly, people have suggested alternate methods; these are all fair options and should be evaluated. Such as if someone has the exact same avatar, they share the same avatar image URL or if their privacy settings was set to none that it is set to a generic avatar (which follow the same idea as before).

The idea I suggested I expect not to be the final solution, it was only a quick idea at the time of the original report and to ensure that the words used by Roblox and the HackerOne team could not be affected by any changes I made, the report is exact as the report with only it being split where there was a line break.

I looked at the extension, and it seems a player creeping around another player must also know which game said player is playing in.

If said player plays a completely different game after being creeped on for a bit, then this method is rendered mostly useless, ‘mostly’ as in the creep could still search through the server lists of each popular game one-by-one, but that is pretty tedious to do, and there’s a chance the player is not playing any of those games.

This is known from the report.

Only if the user did not broadcast their location via any medium and/or they are a friend of the victim. See Issue B: Bypass of Roblox privacy settings using "servers my friends are in" sort

This does not excuse the issue at hand, users should not be expected to simply hop games and even that does not actually fix the issue. One could theoretically search every server of every game using this exploit until that user is found; or as you could automatically search the top 100 games on Roblox and do it that way. In places like, events as @Wsly suggested before it narrows the gap further.

This privacy setting should be respected, not require people to hop games because someone stalked them (a violation of the Community Rules).

Not quite, there seems to be a subtle mistake in your choice of example users. User B has a slightly darker grey skin, and a green torso.

A better example would be these two users here. Both of their AvatarHeadshots lead to this image here.
Example User A and Example User B.

Roblox’s avatar cache is shared between all users, and has been for years. That’s why if there’s a mistake in how one user generated their avatar, or they ended up wearing an item which eventually got updated, wearing the same outfit will give you the same on-site avatar image… As long as nobody is sly enough to repeat that avatar just to redraw and remove it.

So while it should be possible to do this with a generic avatar, you really need to make sure to dot the i’s and cross the t’s. I’d imagine Albert may have still been affected due to not going into Studio and copying the details which aren’t possible to notice from the avatar image, such as the fact that the two users I linked have legs which are the Medium blue BrickColor.

Alright, thanks for the clarification on that. Apolgies for that error, makes sense.

I believe I know why people keep using this in present day, and the extension hasn’t been removed.

Seen in KonekoKitten’s video, the extension was talked about with its original creator. The creator stated that it wasn’t originally made for how people are using it today (malicious or harmful).

In this case I do not believe that Roblox has a fighting chance in taking the extension itself down. The only case it has is the plugin is being used for malicious intent. But if the creator of the plugin hasn’t created it originally for malicious intent, then that case is more or less lost.

It doesn’t matter if they take the extension down or not, that doesn’t solve the problem it just cuts down on how many people are abusing this privacy issue.

See previous reply and this reply

Hi, I found a way around this issue by dressing up as a “bacon hair” as Roblox caches images and this ends up rendering this “exploit” useless. I’d still love to dress normal, though.

This has been noted already as per an error I made, see this reply