Bypass of Roblox privacy settings using getgameinstancesjson API

GalacticInspired · July 6, 2022, 8:15pm

Goes beyond, searched a user who was not visible at all.

GalacticInspired · July 6, 2022, 8:18pm

Here’s a recording of it.

MineJulRBX · July 6, 2022, 9:46pm

I still don’t get why they’re giving us the player tokens as those are what’s being used to find the actual user accounts. I don’t see why they can’t just spit out the thumbnails without the tokens, we have no reason to recieve those tokens.

HooferBevelops · July 6, 2022, 10:23pm

It looks like it’s still using the old API which has not yet been disabled due to this still being in A/B testing.

ValiantWind · July 7, 2022, 3:34am

Well Roblox recently implemented a feature that randomizes your roblox thumbnail on the server list if you have your joins set to No one.

Doesn’t that solve the issue?

jackfrojpg · July 21, 2022, 7:32pm

Does it still return all the users under “players” if they are friends with the ROBLOX account the api is being used through, and if their privacy settings allow friends to join them? As this is used for shift logging systems for things like roleplay games

AusRin0177 · July 27, 2022, 8:10am

researcher and other plugins still bypass this so do token searching. Also being forced to disable join for all even for friends is just a problem if I want to play whit friends.

devaleporbet · July 27, 2022, 1:24pm

The plugins only “bypass” this because it’s in A/B testing, meaning if you send a request via an account without A/B then it’ll “bypass”. Once this is pushed live, there won’t be any quick “bypasses”.

^ These plugins send a request without any credentials, which means they technically “bypass” as the API does the request without the “account” having the A/B test => Once it’s pushed live, they won’t be able to bypass this as any request will default to this change.

github.com

ThePotato97/RoSearcher/blob/master/rosearch-chrome-edge/js/plugin.js#L254

      
        
            }
            
            
function sleep(ms) {
                return new Promise(resolve => setTimeout(resolve, ms));
            }
            
            
const getServers = async (placeID, servers, cursor) => {
                const requestWrapped = serverFetchLimiter.wrap(request)
                servers = servers || [];
                const response = await requestWrapped(`games.roblox.com/v1/games/${placeID}/servers/Public?limit=100${cursor ? `&cursor=${cursor}` : ''}`, {
                    credentials: "omit",
                    retry: RETRY_LIMIT
                });
                const {
                    nextPageCursor,
                    data
                } = response;
            
            
    if (nextPageCursor) {
                    await sleep(50);
                    return getServers(placeID, [...servers, ...data], nextPageCursor);

Example from RoSearcher which currently omits the credentials. (Bypasses for now until the A/B is pushed live.)

AusRin0177 · July 28, 2022, 1:16am

will this also apply to play tokens? witch some people use to stream snipe whit out using face icon

system · October 25, 2022, 10:13pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.