Bypass of Roblox privacy settings using getgameinstancesjson API

Issue A: Any user entry method

Related: Bypass of Roblox privacy settings using "servers my friends are in" sort


Via a publicly available browser extension or by other means, it is possible to join any Roblox player in a public server irrespective of privacy settings through only their UserID or username and the game they’re in.

This bug has existed for a long time without resolution.

Repro:

Using the API https://www.roblox.com/games/getgameinstancesjson?placeId=${placeId}&startIndex=${startIndex} find and join the user from their avatar headshot. This can be done either via readily available Chrome extensions, exploitation software or can be done with a self made tool.

As a result of successful exploitation of this issue, players can directly harass other players and may result in unintentional disclosure of confidential information in relation to Roblox Confidential Information or non Roblox company Confidential Information.


Original HackerOne Report

Hello Mini Modders, DevForum staff and Roblox engineers,

The following report, despiste any language used does not constitute as an exploit report.
As part of responsible disclosure, this report was originally sent to HackerOne and was considered “that it doesn’t pose any security risk” according to that report. This report is pending disclosure.

The report below is exact to that HackerOne report, as well as the original report including two issues, I’ve decided to split this report into two reports. This report is Issue A - Any user entry method.


Summary

Via a publicly available browser extension or by other means, it is possible to join any Roblox player in a public server irrespective of privacy settings through only their UserID or username and the game they’re in.

Recommended Fixes

Remove the ability to view people’s avatars in the server list, just a list of servers with their capacity.

Requirements

The exploit can be done on one or two devices and thus offer different requirements.

If you are using two devices:

  • For the attacker:
    • A PC that Roblox is installed and supported on. (Windows, MacOS)
    • Chromium based browser
    • The Chrome extension
    • A Roblox account that is not moderated for that specific game or the Roblox platform as a whole
  • For the target:
    • Any device which a player can play Roblox
    • A Roblox account that is not moderated for that specific game or the Roblox platform as a whole

If you are using one device:

  • For the attacker:
    • A PC that Roblox is installed and supported on. (Windows, MacOS)
    • Chromium based browser
    • The Chrome extension
    • A Roblox account that is not moderated for that specific game or the Roblox platform as a whole
  • For the target:
    • The Windows 10 UWP application from the Windows Store
    • A Roblox account that is not moderated for that specific game or the Roblox platform as a whole

Reproduction Steps

(This steps are specifically designed for one computer to reproduce, although same steps can be taken on two devices.)

  • Steps for target
  1. Install Windows UWP application, log in; generally meet the requirements.
  2. Open up the Windows 10 UWP and log into the target’s Roblox account as normal.
  3. Go to the settings and set the “Who can join me?” to “No one”. (Setting cog at the top right, settings, privacy) See: https://i.imgur.com/WhRymZs.png
  4. Join any Roblox game, games with a larger player base can help prove the point further. Be aware that you cannot stay AFK for more than 20 minutes.
  • Steps for attacker
  1. Install a chromium browser, Roblox, log in, install the extension; generally meet the requirements.
  2. Go to your target’s user profile and validate that you cannot join them normally (There is no “Join Game” button or tells you what game they’re in) See: https://i.imgur.com/bfZ2qzN.png
  3. Through using Issue B (if this applies) or using any form of OSINT, find the game the player is in.
  4. Enter the target’s Username or UserID and press their respective button, the program will then run the exploit. If successful, you’ll see something like this https://i.imgur.com/pDD7BXt.png
  5. Press “Join”, you will then begin to join the target’s server as normal. Once done, you’ll be in the same server, see https://i.imgur.com/Ydcwin5.png

How the exploit works

Working from end result to the start, I shall attempt to explain how this vulnerability results in the outcome you see.

[Start of main vulnerability issue]
The exploit grabs the JSON file Roblox uses to show the server list, that URL is https://www.roblox.com/games/getgameinstancesjson?placeId=${placeId}&startIndex=${startIndex} in which ${placeId} is an integer which shows the target’s current game ID (Games use the following URL: https://www.roblox.com/games/GameID/GameName) and where ${startIndex} is an integer which shows which page in the server list to show (There is a limit to the number of servers Roblox shows to).

This program then searches through the JSON file, starting with startIndex of 1 and going up; it checks the avatar of each user (This uses the format https://tr.rbxcdn.com/Hash/48/48/AvatarHeadshot/Png) and checks if this is the same URL as the target’s avatar. If the target is found, the program shows just that server (See: https://i.imgur.com/pDD7BXt.png); otherwise it will show an error (See: https://i.imgur.com/BASrVEM.png).
[End of main vulnerability issue]

In order to grab the target’s avatar, the attacker uses the target’s UserID. By using the URL, https://www.roblox.com/headshot-thumbnail/image?userId=${userId}&width=48&height=48&format=png in which ${userId} is the target’s UserID, the size of the png file is the same size as the in the server list.

If the user did not provide the target’s UserID but rather their username, the program will visit https://www.roblox.com/users/profile?username=${name} where ${name} is the target’s username, this will redirect them to the user’s profile (User’s profile standard format is https://www.roblox.com/users/UserID/profile) in which their UserID can be collected. There are legitimate uses for this outside of this exploit.

Impact

As a result of successful exploitation of this issue, players can directly harass other players and may result in unintentional disclosure of confidential information in relation to Roblox Confidential Information or non Roblox company Confidential Information.

82 Likes

This is dealt with by blocking the player who is harassing you; they can’t communicate with you that way.
However, this should be fixed. I would just say don’t let blocked users be in the same server, because searching users is still 100% better for moderation.

3 Likes

This issue bypasses blocking as well there is a limit of blocking 50 account. Not a fix.

21 Likes

Good to know. That makes the issue more severe then :confused:

6 Likes

With the Egg Hunt event earlier this year, it became quite annoying that players seemed to have the ability to track us through a browser extension despite having our privacy settings set to “No one” or “Friends”.

I would greatly appreciate this bypass being removed so that the privacy settings are respected.

19 Likes

I’ve been aware of the 50 blocked user limit for a long time now, but I never understood why. If a player wants to block more than that amount, why not allow them? Limiting it could be a safety issue for there user where allowing it seems to have little to no repercussions.

9 Likes

Discussion related to changing the number of blocked users should be directly to appropriate threads and not here. While an option does not represent a long term solution


I’ve also been advised that this exploit has existed in SynapseX for quite some time. Even if this Chrome extension used is fixed to allow Opt Out, it does not actually solve the issue at all given it’s use in Synapse or generally reuploaded.

6 Likes

Big issue - thanks for raising it. Blop could be implemented to hide info while still storing the image behind a “wall”.

1 Like

Basically all it does is look up avatars but people like Albert have very common avatars so it is not easy to track them and I personally do not think that it tracks the avatar headshot in the server but instead it looks up your profile.

I agree this is an issue on the platform, specifically to those with a relatively large following.

You suggest removing the avatars completely off the server list, but I don’t personally feel this is the best approach to this issue. Instead, you could remove the avatar image based on privacy settings - so if the follow settings are friends only, you only show the real avatar to friends of the user.

Otherwise, if they’re not friends, return a default or randomized avatar to replace their real avatar.

This would allow Roblox to keep the website feature and fix the issue you’re describing here.

8 Likes

This is not the case, even users of the exact same outfit will have a different image URL. Albert is still affected by this issue.

Take user A: robloxrules56784 - Roblox and User B: robloxman4570 - Roblox. Despite both users being the exactly the same, User A has the profile URL of https://tr.rbxcdn.com/cda7a973dee38684d4f6f6aa017abc81/150/150/AvatarHeadshot/Png and User B has the profile URL of https://tr.rbxcdn.com/71aea8b373539bc4d45d70f1eb37395e/150/150/AvatarHeadshot/Png


Since the publication of this report publicly, people have suggested alternate methods; these are all fair options and should be evaluated. Such as if someone has the exact same avatar, they share the same avatar image URL or if their privacy settings was set to none that it is set to a generic avatar (which follow the same idea as before).

The idea I suggested I expect not to be the final solution, it was only a quick idea at the time of the original report and to ensure that the words used by Roblox and the HackerOne team could not be affected by any changes I made, the report is exact as the report with only it being split where there was a line break.

2 Likes

I looked at the extension, and it seems a player creeping around another player must also know which game said player is playing in.

If said player plays a completely different game after being creeped on for a bit, then this method is rendered mostly useless, ‘mostly’ as in the creep could still search through the server lists of each popular game one-by-one, but that is pretty tedious to do, and there’s a chance the player is not playing any of those games.

This is known from the report.

Only if the user did not broadcast their location via any medium and/or they are a friend of the victim. See Issue B: Bypass of Roblox privacy settings using "servers my friends are in" sort

This does not excuse the issue at hand, users should not be expected to simply hop games and even that does not actually fix the issue. One could theoretically search every server of every game using this exploit until that user is found; or as you could automatically search the top 100 games on Roblox and do it that way. In places like, events as @Wsly suggested before it narrows the gap further.

This privacy setting should be respected, not require people to hop games because someone stalked them (a violation of the Community Rules).

4 Likes

Not quite, there seems to be a subtle mistake in your choice of example users. User B has a slightly darker grey skin, and a green torso.

A better example would be these two users here. Both of their AvatarHeadshots lead to this image here.
Example User A and Example User B.

Roblox’s avatar cache is shared between all users, and has been for years. That’s why if there’s a mistake in how one user generated their avatar, or they ended up wearing an item which eventually got updated, wearing the same outfit will give you the same on-site avatar image… As long as nobody is sly enough to repeat that avatar just to redraw and remove it.

So while it should be possible to do this with a generic avatar, you really need to make sure to dot the i’s and cross the t’s. I’d imagine Albert may have still been affected due to not going into Studio and copying the details which aren’t possible to notice from the avatar image, such as the fact that the two users I linked have legs which are the Medium blue BrickColor.

4 Likes

Alright, thanks for the clarification on that. Apolgies for that error, makes sense.

6 Likes

I believe I know why people keep using this in present day, and the extension hasn’t been removed.

Seen in KonekoKitten’s video, the extension was talked about with its original creator. The creator stated that it wasn’t originally made for how people are using it today (malicious or harmful).

In this case I do not believe that Roblox has a fighting chance in taking the extension itself down. The only case it has is the plugin is being used for malicious intent. But if the creator of the plugin hasn’t created it originally for malicious intent, then that case is more or less lost.

It doesn’t matter if they take the extension down or not, that doesn’t solve the problem it just cuts down on how many people are abusing this privacy issue.

See previous reply and this reply

1 Like

Hi, I found a way around this issue by dressing up as a “bacon hair” as Roblox caches images and this ends up rendering this “exploit” useless. I’d still love to dress normal, though.

This has been noted already as per an error I made, see this reply

3 Likes