Bypass of Roblox privacy settings using getgameinstancesjson API

This has been noted already as per an error I made, see this reply

3 Likes

Today I was stalked by multiple users throughout the day, as I was trying to server hop. When I rejoined a new server, they would follow me. Usually this isn’t a problem, as I can turn off my following and at the very worst, block them, but these users used rosearcher to completely bypass that and follow me into every server I went into. This was extremely annoying and really ruined my experience, as they would try and ruin my gameplay as much as they could.

11 Likes

As much as this would be useful for others, I feel like it would leave developers with a disadvantage. What if a user who is unable to update their privacy settings finds a major bug and you need to join them to further investigate?

My point is, while a feature like this is definitely helpful, in some situations it’ll make a developers life more difficult. Simple solution: give the developer the ability to search for players in their game while still respecting privacy settings for other users.

7 Likes

Is there still no update to the situation regarding this extension? This infringes upon the privacy settings of absolutely any user on the site, and while it may have some “innocent” uses, it has lead to consistent harassment to developers, youtubers and regular users alike, all of which are being targeted by other members of their respective communities for personal gain or otherwise.

It’d be one thing if it was an official feature (like suggested above) or at least respected privacy settings, but it can’t and won’t do that due to its methodology. If my privacy settings say that no one should be able to directly join me, that should hold true throughout the platform.

Please, PLEASE patch this extension. Once again, user privacy settings should be respected.

3 Likes

At this time, people who have lots of following should make use of alternative accounts, not play games on their main if they’re worried about a following base. Why?

If Roblox is to patch this feature, they’re going to break my only way of telling outside of roblox, that a player is in a game. If Roblox was to provide an http api where I can ask Roblox if a certain userid is playing gameid/jobid to respond with true or false, then I’ll be fine with this getting patched.

I need a way to tell if a player is playing the exact game/jobid to ensure that nobody can send malicious actions on a users account when they’re not even playing a game or consenting to said action.

Why? Say you have a program on your computer that has its own webhook features that are interfaced to a client portal. You want to have Roblox play around with said webhook so you ask players to link ‘webhook features’ to ‘roblox account’ and then allow any developer on Roblox to ask your service to fire this ‘webhook feature’.

How do you know if a player really requested this action? I would of checked from a roblox.com api if a playername is in said game, Roblox patched that. I would of checked from the list of thumbnail links and compare it to see if they match, that’s this ‘bypass’. There’s practically no other way of checking from a roblox.com api or some api token to see if a player is playing the exact game the request is coming from.

If Roblox was to patch this and not offer a way of letting legitimate use of trying to check if a player is in a game, I have no choice but to hault this project over fears that other malicious users/exploiters could send in fraudulent/malicious requests to my webserver that my webserver can’t even verify if its legitimate or not.

1 Like

Why does your use case trump people’s rights to not have their rights to privacy as per their settings exploited?


As expressed before

There is likely better ideas and would be better used.

Using an alt to stop users violating the Roblox Terms of Use (stalking/harassment is against the Community Rules) is not a solution to last forever, it does not solve anything except make it more annoying for the harrased user.

If I set my privacy settings in a way where I should not be trackable into a server, I expect that to be an option. See Bypass of Roblox privacy settings using "servers my friends are in" sort for the other way that this feature set is being abused.

You’ve been using a bug as a feature, you should be suggesting in #platform-feedback:website-features to get an official method rather than using an exploit to gain this info.

4 Likes

I have no options but to otherwise use a bug as a feature because that is the only way for me to know if a player is actually playing said gameid/jobid.

I already have low faith in asking for features since they’ve pulled Private Modules over a year ago now with no alternative.

For people dealing with confidential information, we need this issue to be fixed to seriously minimise the risk of unintentional disclosure. I’d consider the risk of not being sued more highly than your use of an exploit.

Unless you can provide a seriously good use case which trumps the rights of others, I consider your case an abnormal edge case and should result in an official feature request.
If you don’t believe in platform feedback, that’s your decision but I don’t believe that excuses this.

1 Like

I’m sure talking about confidential information inside a Roblox game sounds absurd.

I’m also sure people that do need to talk about confidential information in a Roblox game probably would make a group, invite the people that they want, make it a group game, restrict the game to group members only, and play that way instead?

What kind of confidential information while playing a Roblox game would be worthy that Roblox could potentially get ‘sued’ for?

You’re missing the point. This is not limited to the chat. This is for any content which is deemed confidential.

What about all the Roblox QA NDA testers who need to test Roblox events/Developer games before release?
Games developers testing their games before release? New updates? Trade secrets?


You seem to be playing the game of semantics, “Confidential Information” is an industry term.

2 Likes

Isn’t that already well hidden behind groups that are restricted behind group locked games with unnamed titles? If Roblox needed to test something, they probably already made a system in place which it seems group locked games are the way they do that QA NDA testing.

I’m fine with this ‘feature as a bug’ being patched AS LONG AS they release a feature to help me ensure a player is in a game. Be it an api token that a game developer could provide to me to be able to access the players list from Roblox or anything really.

2 Likes

Okay but using either Issue A (this one) or Issue B (linked earlier); you can find the game. It is simply one example of how a NDA can be on Roblox and how that can be confidential information.

Then make a feature request.


Please DM me further or come up with a use case that trumps the rights of others to privacy.

4 Likes

I’ll just end my response here by just saying that yes, you could find the game link, but you can’t play it because you’re not a member of the Roblox QA group… Group members only games exist?

2 Likes

Yeah, the RoSearcher allows you to search someone’s user id in a server list and then you can join em. I am not sure if it can track what game they are playing in which may be the hardest part. It is really annoying on occasions when people you unfriended continuously use the RoSearcher plugin so they can ask you “Please add me back”. This hadn’t happened to me yet. KonekoKitten posted on his twitter that a bunch of fans had followed him into arsenal using RoSearcher.

2 Likes

Based on feedback from a range of sources, please see the updated bug report. Simplified down and hopefully easier to read. The original report still be seen.

4 Likes

There is truly nothing Roblox can actually do about this issue, take for example the popular Roblox Google extension that allows you to find people in servers. It just searchs for the same username/avatar in the servers using a bot. It doesn’t actually open up your profile and allows you to join it.

td;lr : Roblox can’t do anything about it except remove the servers button on ROBLOX games

2 Likes

This is not true – you can’t see usernames and ids on server lists, only the user thumbnails. So they could hash up the thumbnail ID being returned so it’s not equal to your regular headshot thumbnail ID but still links to the same file, or they could make the icon anonymous if you choose to be via a new user setting. Roblox can totally make this more private.

6 Likes

True, they can add anonymous avatars in the privacy settings and whenever you change it, it just changes your avatar to a question mark.

A bypass would be letting bots join servers with anonymous avatars then scanning for your targetted player.

1 Like

Yes but this is way more compute-intensive than the current strategy they are using which just scans the public API. It’s all about making things harder so it is time or resource unfavorable to find what they’re looking for.

2 Likes

There actually is an API that allows you to see the user ids of every server open. I don’t think its officially documented, but you can see the id’s of every player, and a unique id for each server.

Because I’m cool, I won’t post the API link.

1 Like