Works on my machine.
https://www.roblox.com/games/getgameinstancesjson?placeId=920587237&startIndex=1
There are plenty of things you can do about the issue. Only show a randomised image/default image is user isnât at the allowed permission level as suggested by @anon2793720 here
Well it does via proxy, that button is effectively the same as what the plugin extensions or in some cases exploit software.
See above.
This bypasses the privacy settings of users. I donât see how this isnât a bypass. Also you require to be logged in to use this.
Great. Go to https://en.help.roblox.com/hc/en-us/articles/360038516512-How-to-Report-Security-Exploits and deal with it appropriately.
Issue persists. See this part of the original report
That and whatâs shown by @SwagMasterAndrew in the previous reply. The link requires specific formats to work. The exact URL shown is from the originally provided exploit code. Also requires a user to login.
3 Likes
Thanks for the report! Weâve filed a ticket to our internal database and weâll follow up here when we have an update for you.
7 Likes
Since no update was made from you yet Iâll just post that the API does not return the userids anymore as of like a week or two weeks ago.
(forgot to mention this when I initially noticed)
Well, one big player in this forced game-join stuff was this API endpoint: âhttps://games.roblox.com/v1/games/1818/servers/Public?limit=100&sortOrder=Ascâ.
Quite sad to see how its abuse led to the removal of its providing a table of UserIds of players within the server, for I used to parlay that functionality with my in-game server-lister.
1 Like
I am in the process of checking over bug reports and following up on some bugs that havenât received any activity in a while.
Is this issue still occurring or can you confirm that this bug has been resolved?
3 Likes
This issue has not been resolved.
3 Likes
I used to run a bot that searched for famous users using that exact API endpoint. Itâs since been decommissioned.
Thereâs no server list, so this API is completely okay.
I think the best way to fix this is to hide the presence of a user if they cant be followed, maybe return a default avatar for the image?
2 Likes
Yes. Incredibly annoying, confusing and frustrating when I want to relax gaming after developing a highly anticipated game with my joins clearly set to No One.
I would say that yes that would be the best option in my opinion. Itâs just down to the Roblox engineers to make a deision.
2 Likes
Is this issue going to be solved any time soon?
I am one of the few unfortunate users who are followed by Roblox on Twitter and this has been a huge issue to me as people think that I am an employee at Roblox and can retrieve their accounts back or am able to give them robux, etc. My join games settings are set to âFriendsâ and people have been abusing that endpoint and stalk me into games to beg. This has gotten to the point where I need to play games or test anything I work on in VIP servers to have some sort of peace.
No one should be forced into spending money for some unwinding, lose out on exposure from Robloxâs social media accounts or make entirely new accounts unrelated to your main account to avoid people disrespecting you when youâre trying to explain to them that youâre just a regular person just like they are. I really hope that this will be resolved soon.
@NeloBlivion looking up RoSearcher gets you the GitHub page of the creator and people are using the publicly available programming to reupload it as their own plugins.
3 Likes
This issue has not yet been resolved. The damage is much more intense now.
Since the publication of this report, some of the largest content creators in the world are on Roblox playing experiences, including live. These large content creators are livestreaming their time to a massive audience but itâs being cut early due to this bug report. There are users using this bug to find users in experience and then exploit the experience itself.
It doesnât help when large content creators like KreekCraft are calling to Roblox to resolve this. There is intense focus on this problem which personally has been delayed for far too long.
8 Likes
Issue still not resolved despite many issue complaints on hackerone and direct complaints to Roblox, in retrospect this shouldnât have prolonged more than a few months but itâs somehow gone for two years at this rate, harassment is off the charts with this privacy breach on our experiences community and other communities, itâs impossible for some of us to play most games publicly without going onto a VIP server as some harassers are scanning front-page games just to locate and target onto us. And yes some are using literal exploits to even lag/crash our in-game servers or other attack vectors.
Itâs relatively a simple fix and weâre still stuck here, it really shows the current state of things.
5 Likes
As to hop back in for this issue that still exists to this day, Instead of removing the list of avatars, could it instead be an option in the users profile settings âmask my avatar in server listsâ to simply return a random Robloxâs head-bust image? This probably would break this issue outright, and still keep the natural look of Robloxâs server list awhile popular users/creators can mask themselves from being followed so that the only way to join their game is to keep clicking âPlayâ and hope youâll end up on the same server.
1 Like
This would probably explain how every game I went to during the 2020 Egg Hunt instantly got over 300 playersâŠ
That was very very annoying⊠surprised that this issue is still present seeing how long the post has been up.
1 Like
Sorry for the bump, but I just wanted say that SearchBlox has now been banned and removed from the Chrome Webstore.
Although this still isnât patched, its still good to see that both of the most popular extensions used to bypass the privacy settings are gone.
2 Likes
Never mind. Turns out the creator of Searchblox appealed to Google and now Searchblox is back on the Chrome Web Store AND its open source now ._.