It looks like the RoSearcher extension was taken down, but can this bug/api still be abused?
I think the best way to fix this is to hide the presence of a user if they cant be followed, maybe return a default avatar for the image?
2 Likes
Yes. Incredibly annoying, confusing and frustrating when I want to relax gaming after developing a highly anticipated game with my joins clearly set to No One.
I would say that yes that would be the best option in my opinion. It’s just down to the Roblox engineers to make a deision.
2 Likes
Is this issue going to be solved any time soon?
I am one of the few unfortunate users who are followed by Roblox on Twitter and this has been a huge issue to me as people think that I am an employee at Roblox and can retrieve their accounts back or am able to give them robux, etc. My join games settings are set to “Friends” and people have been abusing that endpoint and stalk me into games to beg. This has gotten to the point where I need to play games or test anything I work on in VIP servers to have some sort of peace.
No one should be forced into spending money for some unwinding, lose out on exposure from Roblox’s social media accounts or make entirely new accounts unrelated to your main account to avoid people disrespecting you when you’re trying to explain to them that you’re just a regular person just like they are. I really hope that this will be resolved soon.
@NeloBlivion looking up RoSearcher gets you the GitHub page of the creator and people are using the publicly available programming to reupload it as their own plugins.
3 Likes
This issue has not yet been resolved. The damage is much more intense now.
Since the publication of this report, some of the largest content creators in the world are on Roblox playing experiences, including live. These large content creators are livestreaming their time to a massive audience but it’s being cut early due to this bug report. There are users using this bug to find users in experience and then exploit the experience itself.
It doesn’t help when large content creators like KreekCraft are calling to Roblox to resolve this. There is intense focus on this problem which personally has been delayed for far too long.
8 Likes
Issue still not resolved despite many issue complaints on hackerone and direct complaints to Roblox, in retrospect this shouldn’t have prolonged more than a few months but it’s somehow gone for two years at this rate, harassment is off the charts with this privacy breach on our experiences community and other communities, it’s impossible for some of us to play most games publicly without going onto a VIP server as some harassers are scanning front-page games just to locate and target onto us. And yes some are using literal exploits to even lag/crash our in-game servers or other attack vectors.
It’s relatively a simple fix and we’re still stuck here, it really shows the current state of things.
5 Likes
As to hop back in for this issue that still exists to this day, Instead of removing the list of avatars, could it instead be an option in the users profile settings ‘mask my avatar in server lists’ to simply return a random Roblox’s head-bust image? This probably would break this issue outright, and still keep the natural look of Roblox’s server list awhile popular users/creators can mask themselves from being followed so that the only way to join their game is to keep clicking ‘Play’ and hope you’ll end up on the same server.
1 Like
This would probably explain how every game I went to during the 2020 Egg Hunt instantly got over 300 players…
That was very very annoying… surprised that this issue is still present seeing how long the post has been up.
1 Like
Sorry for the bump, but I just wanted say that SearchBlox has now been banned and removed from the Chrome Webstore.
Although this still isn’t patched, its still good to see that both of the most popular extensions used to bypass the privacy settings are gone.
2 Likes
Never mind. Turns out the creator of Searchblox appealed to Google and now Searchblox is back on the Chrome Web Store AND its open source now ._.
It’s worth saying that even if all these extensions are removed from the planet, it doesn’t help that some of the largest exploitation software have features that have abused this bug for years.
It’s absolute insanity to me that this hasn’t been resolved or had any further communication. When even the largest content creators on the platform complain about this single bug, Roblox has refused to fix this.
Roblox has lost potential influencers, lost growth, lost money, allowed serial harassment because they ignored this bug. What more will it take before someone at Roblox just take action.
6 Likes
Adding on top of that, the main source code has and still is open sourced and anyone can grab it and make their own plugin. The issue will still remain at large unless Roblox addresses it.
1 Like
also i just wanna point out that ther is even a Website someone made to bypass the Roblox privacy settings so if you think about it everyone could easily bypass the Roblox privacy settings.
In a recent announcement, the API this bug relies on has been formally deprecated. While this feature remains in production now, it’s healthy to see this problem finally being resolved.
The replacement for this API no longer uses avatar URLs in their request.
Replacement API
Depending on what your permissions are to the players, you get either
{"previousPageCursor": null, "nextPageCursor": null,
"data": [{
"id": "670ab1ab-c36f-42f3-a5c6-e5ecfa7e63cc",
"maxPlayers": 50, "playing": 1,
"playerTokens": [ "E5799AE12661A06754B9A597D9B491D0" ],
"players": [], "fps": 59.992252, "ping": 16
}]
}
{"previousPageCursor": null, "nextPageCursor": null,
"data": [{
"id": "670ab1ab-c36f-42f3-a5c6-e5ecfa7e63cc",
"maxPlayers": 50, "playing": 1,
"playerTokens": [ "E5799AE12661A06754B9A597D9B491D0" ],
"players": [
{ "playerToken": "E5799AE12661A06754B9A597D9B491D0",
"id": 8403307, "name": "railworks2", "displayName": "railworks2"
}],
"fps": 59.99297, "ping": 9
}]
}
That suggests that this problem looks to be resolved soon. Although maybe due to the freshness of this change, it remains possible to do this attack on loaded page with JS running (or the current vector) as the actual image URLs haven’t changed.
We’ll see how further developments and what “playerToken” means for this attack vector.
5 Likes
You can still use the Thumbnails API to redeem these player tokens into thumbnails, which the website needs to do.
1 Like
Well yes. The thumbnail API is an interesting point with how it deals with those playerTokens. It’s why my reply is not marked as a solution yet.
I’m aware of internal effort being done to improve this problem but this is just the first step it seems.
1 Like
You cannot redeem PlayerTokens into Thumbnails. If this were the case plugins like RoPro or BTR Roblox would still have there server finders available. Which they currently are not.
I say this because it has completely broken my plugin, which was used to find servers of a certain size, not snipe players who don’t want people to join them. Of course, the other API method would theoretically work.But it’s way too slow on big servers as it requires are linear search.
Well you can. Using Thumbnails Api and the following data:
[
{
"requestId": "undefined:undefined:AvatarHeadshot:48x48:null:regular",
"type": "AvatarHeadShot",
"token": "E5799AE12661A06754B9A597D9B491D0",
"format": null,
"size": "48x48"
}
]
you get this data:
{
"data": [
{
"requestId": "undefined:undefined:AvatarHeadshot:48x48:null:regular",
"errorCode": 0,
"errorMessage": "",
"targetId": 0,
"state": "Completed",
"imageUrl": "https://tr.rbxcdn.com/60593b07772526b08a1c283de5ebad2e/48/48/AvatarHeadshot/Png"
}
]
}
This is a known issue and is being resolved.
2 Likes
They could prevent redemption of certain player’s tokens such as star creators