Bypass of Roblox privacy settings using "servers my friends are in" sort

Hello Mini Modders, DevForum staff and Roblox engineers,

The following report, despiste any language used does not constitute as an exploit report.
As part of responsible disclosure, this report was originally sent to HackerOne and was considered “that it doesn’t pose any security risk” according to that report. This report is pending disclosure.

The report below is exact to that HackerOne report, as well as the original report including two issues, I’ve decided to split this report into two reports. Friend only method

Summary

A version of Issue B, which does not require the chrome extension or knowledge of the target’s game.

Recommended Fixes

Remove people’s previously joined games from “Friends Playing” while the “Who can join me?” setting is set to “No one”

Requirements

The exploit can be done on one or two devices and thus offer different requirements.

If you are using two devices:

• For the attacker and target:
  • A PC that Roblox is installed and supported on. (Windows, MacOS)
  • A Roblox account that is not moderated for that specific game or the Roblox platform as a whole

If you are using one device:

• For the attacker:
  - A PC that Roblox is installed and supported on. (Windows, MacOS)
  - A Roblox account that is not moderated for that specific game or the Roblox platform as a whole

• For the target:
  - The Windows 10 UWP application from the Windows Store
  - A Roblox account that is not moderated for that specific game or the Roblox platform as a whole

Reproduction Steps

(This steps are specifically designed for one computer to reproduce, although same steps can be taken on two devices.)

• Steps for target

0. Install Windows UWP application, log in; generally meet the requirements.
1. Open up the Windows 10 UWP and log into the target’s Roblox account as normal.
2. Go to the settings and set the “Who can join me?” to “No one”. (Setting cog at the top right, settings, privacy) See: https://i.imgur.com/WhRymZs.png
3. Join any Roblox game, games with a larger player base can help prove the point further. Be aware that you cannot stay AFK for more than 20 minutes.
4. Extra step: If needed, re-join the game again. It does sometime work.

• Steps for attacker

0. Install a supported browser, Roblox, log in, be friends with the target; generally meet the requirements.
1. Go to your target’s user profile and validate that you cannot join them normally (There is no “Join Game” button or tells you what game they’re in) See: https://i.imgur.com/bfZ2qzN.png
2. Go to your home page (Press Home on the left sidebar or visit Login) and scroll down to “Friends Playing”.
3. Check each game and the open servers on that game and find the avatar of your target. You may use Issue A to automatically found it or do it manually through each page.
   (Be aware that “Servers My Friends Are In” will always not show the target in this case) In this case, they’re in none of these options. See: https://i.imgur.com/TdmW5o7.png
4. If they’re not in this list, click “See all ->” or visit Discover - Roblox and repeat step 3. In this case, we’ve found the person. https://i.imgur.com/SxOyGAK.jpg
5. Press “Join”, you will then begin to join the target’s server as normal. Once done, you’ll be in the same server, see https://i.imgur.com/Ydcwin5.png

Impact

As a result of successful exploitation of this issue, players can directly harass other players and may result in unintentional disclosure of confidential information in relation to Roblox Confidential Information or non Roblox company Confidential Information. There is limited sphere of damage as only friends can exploit this.