Changes to the /Data/Upload.ashx endpoint (X-CSRF-Token validation)

That makes sense. It seems reasonable to quickly patch a vulnerability and I understand why Roblox staff enabled it as soon as they could.


You beat me to it, I was only like a minute late, I had a whole essay written out on why I suspected it was a speed fix, I’m so sad! It’s all your fault :pensive:

In all seriousness though, I’m happy about this. I’ve seen a couple times where Roblox’s home page was in an iframe on and I never investigated it, I suspect its probably innocent and just meant to redirect you to Roblox’s website or something under normal conditions, but, the redirect didn’t happen in any case I saw it. I’m curious if maybe it could have been an inactive exploit though, I was seeing them over a year or two ago, maybe longer back, and, I know I never had any issues come from it.


I got the same issue too, can’t verify its to do with this API but could be the case

1 Like

It started happening for me within 15 minutes of this announcement while uploading sounds. I can still use studio but I can’t finish what I was working on. I can view “Home”, but accessing any other part of the site still results in this page:

Edit: The only way I am able to access this forum and use the site is through my cell network. It feels like I’m IP banned.


ohhhh…that makes sense!! alright then :smiley:

1 Like

I don’t really get the token stuff, but will this also prevent Social Engineering, and kids falling for scam games, which gives data to this and that for a upper hand of compromising a account?

Just want to get a good idea. This sounds great, since Roblox has issues with accounts being compromised and developers loosing all their work. I personally don’t think it can stop Social Engineering, but I hope it will at least stop data grabbing related websites.

I believe you may be thinking about Social Engineering, which is when an attacker tricks roblox support, or just the victim, into believing something in order to gain access to the account. It can be solved with more training, and changing security options. Reverse Engineering has to do with finding out code, which really isn’t an issue for the site but it is an issue with the roblox player client, as reverse engineering allows you to exploit and become hackerman.


This sounds like a great time to say… OAuth 2.0 when?


Soon I hope, if Roblox can sort cookie logging aswell, an OAuth would be great!

OAuth has actually been (not completely) implemented since around August 2020, developers just haven’t been able to create applications with it, only BevyLabs and Roblox themselves have created some. see the OpenID configuration also for visual

Edited for corrections

1 Like

I’m all for this. They already have internal OAuth, and web developers could benefit a lot from proper permissions for their applications.


This looks like OpenID Connect and not a full OAuth implementation. See the supported scopes list.

Yay, more security!

Noooo, Bad Request 400 errors!

Now, fix the support bots. ok

Isn’t OpenID Connect built on top of OAuth 2.0?

1 Like

The post I’m replying to made it seem like it would be trivial for Roblox to let us use OAuth to hit e.g. upload asset endpoints, but that’s not correct since the implementation only appears to support OpenID scopes so it’s probably somewhat rudimentary at the moment based on the configuration shown.


When this man makes a post, you know its good. Jokes aside this is good for security and I’m happy the Roblox staff is working to patch up holes in it.

Wherever there is still no validation for X-CSRF tokens, which there are be them scarce as they may, should have X-CSRF token validation added as soon as possible.

Better to not raise awareness of this vulnerability to people who might use it for malicious purposes while a fix is being made for it.

1 Like

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.