Bypass of Roblox privacy settings using getgameinstancesjson API

Big issue - thanks for raising it. Blop could be implemented to hide info while still storing the image behind a “wall”.

1 Like

Basically all it does is look up avatars but people like Albert have very common avatars so it is not easy to track them and I personally do not think that it tracks the avatar headshot in the server but instead it looks up your profile.

I agree this is an issue on the platform, specifically to those with a relatively large following.

You suggest removing the avatars completely off the server list, but I don’t personally feel this is the best approach to this issue. Instead, you could remove the avatar image based on privacy settings - so if the follow settings are friends only, you only show the real avatar to friends of the user.

Otherwise, if they’re not friends, return a default or randomized avatar to replace their real avatar.

This would allow Roblox to keep the website feature and fix the issue you’re describing here.

8 Likes

This is not the case, even users of the exact same outfit will have a different image URL. Albert is still affected by this issue.

Take user A: robloxrules56784 - Roblox and User B: robloxman4570 - Roblox. Despite both users being the exactly the same, User A has the profile URL of https://tr.rbxcdn.com/cda7a973dee38684d4f6f6aa017abc81/150/150/AvatarHeadshot/Png and User B has the profile URL of https://tr.rbxcdn.com/71aea8b373539bc4d45d70f1eb37395e/150/150/AvatarHeadshot/Png


Since the publication of this report publicly, people have suggested alternate methods; these are all fair options and should be evaluated. Such as if someone has the exact same avatar, they share the same avatar image URL or if their privacy settings was set to none that it is set to a generic avatar (which follow the same idea as before).

The idea I suggested I expect not to be the final solution, it was only a quick idea at the time of the original report and to ensure that the words used by Roblox and the HackerOne team could not be affected by any changes I made, the report is exact as the report with only it being split where there was a line break.

2 Likes

I looked at the extension, and it seems a player creeping around another player must also know which game said player is playing in.

If said player plays a completely different game after being creeped on for a bit, then this method is rendered mostly useless, ‘mostly’ as in the creep could still search through the server lists of each popular game one-by-one, but that is pretty tedious to do, and there’s a chance the player is not playing any of those games.

This is known from the report.

Only if the user did not broadcast their location via any medium and/or they are a friend of the victim. See Issue B: Bypass of Roblox privacy settings using "servers my friends are in" sort

This does not excuse the issue at hand, users should not be expected to simply hop games and even that does not actually fix the issue. One could theoretically search every server of every game using this exploit until that user is found; or as you could automatically search the top 100 games on Roblox and do it that way. In places like, events as @Wsly suggested before it narrows the gap further.

This privacy setting should be respected, not require people to hop games because someone stalked them (a violation of the Community Rules).

4 Likes

Not quite, there seems to be a subtle mistake in your choice of example users. User B has a slightly darker grey skin, and a green torso.

A better example would be these two users here. Both of their AvatarHeadshots lead to this image here.
Example User A and Example User B.

Roblox’s avatar cache is shared between all users, and has been for years. That’s why if there’s a mistake in how one user generated their avatar, or they ended up wearing an item which eventually got updated, wearing the same outfit will give you the same on-site avatar image… As long as nobody is sly enough to repeat that avatar just to redraw and remove it.

So while it should be possible to do this with a generic avatar, you really need to make sure to dot the i’s and cross the t’s. I’d imagine Albert may have still been affected due to not going into Studio and copying the details which aren’t possible to notice from the avatar image, such as the fact that the two users I linked have legs which are the Medium blue BrickColor.

4 Likes

Alright, thanks for the clarification on that. Apolgies for that error, makes sense.

6 Likes

I believe I know why people keep using this in present day, and the extension hasn’t been removed.

Seen in KonekoKitten’s video, the extension was talked about with its original creator. The creator stated that it wasn’t originally made for how people are using it today (malicious or harmful).

In this case I do not believe that Roblox has a fighting chance in taking the extension itself down. The only case it has is the plugin is being used for malicious intent. But if the creator of the plugin hasn’t created it originally for malicious intent, then that case is more or less lost.

It doesn’t matter if they take the extension down or not, that doesn’t solve the problem it just cuts down on how many people are abusing this privacy issue.

See previous reply and this reply

1 Like

Hi, I found a way around this issue by dressing up as a “bacon hair” as Roblox caches images and this ends up rendering this “exploit” useless. I’d still love to dress normal, though.

This has been noted already as per an error I made, see this reply

3 Likes

Today I was stalked by multiple users throughout the day, as I was trying to server hop. When I rejoined a new server, they would follow me. Usually this isn’t a problem, as I can turn off my following and at the very worst, block them, but these users used rosearcher to completely bypass that and follow me into every server I went into. This was extremely annoying and really ruined my experience, as they would try and ruin my gameplay as much as they could.

11 Likes

As much as this would be useful for others, I feel like it would leave developers with a disadvantage. What if a user who is unable to update their privacy settings finds a major bug and you need to join them to further investigate?

My point is, while a feature like this is definitely helpful, in some situations it’ll make a developers life more difficult. Simple solution: give the developer the ability to search for players in their game while still respecting privacy settings for other users.

7 Likes

Is there still no update to the situation regarding this extension? This infringes upon the privacy settings of absolutely any user on the site, and while it may have some “innocent” uses, it has lead to consistent harassment to developers, youtubers and regular users alike, all of which are being targeted by other members of their respective communities for personal gain or otherwise.

It’d be one thing if it was an official feature (like suggested above) or at least respected privacy settings, but it can’t and won’t do that due to its methodology. If my privacy settings say that no one should be able to directly join me, that should hold true throughout the platform.

Please, PLEASE patch this extension. Once again, user privacy settings should be respected.

3 Likes

At this time, people who have lots of following should make use of alternative accounts, not play games on their main if they’re worried about a following base. Why?

If Roblox is to patch this feature, they’re going to break my only way of telling outside of roblox, that a player is in a game. If Roblox was to provide an http api where I can ask Roblox if a certain userid is playing gameid/jobid to respond with true or false, then I’ll be fine with this getting patched.

I need a way to tell if a player is playing the exact game/jobid to ensure that nobody can send malicious actions on a users account when they’re not even playing a game or consenting to said action.

Why? Say you have a program on your computer that has its own webhook features that are interfaced to a client portal. You want to have Roblox play around with said webhook so you ask players to link ‘webhook features’ to ‘roblox account’ and then allow any developer on Roblox to ask your service to fire this ‘webhook feature’.

How do you know if a player really requested this action? I would of checked from a roblox.com api if a playername is in said game, Roblox patched that. I would of checked from the list of thumbnail links and compare it to see if they match, that’s this ‘bypass’. There’s practically no other way of checking from a roblox.com api or some api token to see if a player is playing the exact game the request is coming from.

If Roblox was to patch this and not offer a way of letting legitimate use of trying to check if a player is in a game, I have no choice but to hault this project over fears that other malicious users/exploiters could send in fraudulent/malicious requests to my webserver that my webserver can’t even verify if its legitimate or not.

1 Like

Why does your use case trump people’s rights to not have their rights to privacy as per their settings exploited?


As expressed before

There is likely better ideas and would be better used.

Using an alt to stop users violating the Roblox Terms of Use (stalking/harassment is against the Community Rules) is not a solution to last forever, it does not solve anything except make it more annoying for the harrased user.

If I set my privacy settings in a way where I should not be trackable into a server, I expect that to be an option. See Bypass of Roblox privacy settings using "servers my friends are in" sort for the other way that this feature set is being abused.

You’ve been using a bug as a feature, you should be suggesting in #platform-feedback:website-features to get an official method rather than using an exploit to gain this info.

4 Likes

I have no options but to otherwise use a bug as a feature because that is the only way for me to know if a player is actually playing said gameid/jobid.

I already have low faith in asking for features since they’ve pulled Private Modules over a year ago now with no alternative.

For people dealing with confidential information, we need this issue to be fixed to seriously minimise the risk of unintentional disclosure. I’d consider the risk of not being sued more highly than your use of an exploit.

Unless you can provide a seriously good use case which trumps the rights of others, I consider your case an abnormal edge case and should result in an official feature request.
If you don’t believe in platform feedback, that’s your decision but I don’t believe that excuses this.

1 Like