That makes sense. It seems reasonable to quickly patch a vulnerability and I understand why Roblox staff enabled it as soon as they could.
5 Likes
You beat me to it, I was only like a minute late, I had a whole essay written out on why I suspected it was a speed fix, Iām so sad! Itās all your fault 
In all seriousness though, Iām happy about this. Iāve seen a couple times where Robloxās home page was in an iframe on adf.ly and I never investigated it, I suspect its probably innocent and just meant to redirect you to Robloxās website or something under normal conditions, but, the redirect didnāt happen in any case I saw it. Iām curious if maybe it could have been an inactive exploit though, I was seeing them over a year or two ago, maybe longer back, and, I know I never had any issues come from it.
5 Likes
I got the same issue too, canāt verify its to do with this API but could be the case
1 Like
It started happening for me within 15 minutes of this announcement while uploading sounds. I can still use studio but I canāt finish what I was working on. I can view āHomeā, but accessing any other part of the site still results in this page:
Edit: The only way I am able to access this forum and use the site is through my cell network. It feels like Iām IP banned.
3 Likes
ohhhhā¦that makes sense!! alright then 
1 Like
I donāt really get the token stuff, but will this also prevent Social Engineering, and kids falling for scam games, which gives data to this and that for a upper hand of compromising a account?
Just want to get a good idea. This sounds great, since Roblox has issues with accounts being compromised and developers loosing all their work. I personally donāt think it can stop Social Engineering, but I hope it will at least stop data grabbing related websites.
I believe you may be thinking about Social Engineering, which is when an attacker tricks roblox support, or just the victim, into believing something in order to gain access to the account. It can be solved with more training, and changing security options. Reverse Engineering has to do with finding out code, which really isnāt an issue for the site but it is an issue with the roblox player client, as reverse engineering allows you to exploit and become hackerman.
3 Likes
This sounds like a great time to sayā¦ OAuth 2.0 when?
5 Likes
Soon I hope, if Roblox can sort cookie logging aswell, an OAuth would be great!
OAuth has actually been (not completely) implemented since around August 2020, developers just havenāt been able to create applications with it, only BevyLabs and Roblox themselves have created some. see the OpenID configuration also for visual
Edited for corrections
1 Like
Iām all for this. They already have internal OAuth, and web developers could benefit a lot from proper permissions for their applications.
2 Likes
This looks like OpenID Connect and not a full OAuth implementation. See the supported scopes list.
Yay, more security!
Noooo, Bad Request 400 errors!
Now, fix the support bots. ok
Isnāt OpenID Connect built on top of OAuth 2.0?
1 Like
The post Iām replying to made it seem like it would be trivial for Roblox to let us use OAuth to hit e.g. upload asset endpoints, but thatās not correct since the implementation only appears to support OpenID scopes so itās probably somewhat rudimentary at the moment based on the configuration shown.
2 Likes
When this man makes a post, you know its good. Jokes aside this is good for security and Iām happy the Roblox staff is working to patch up holes in it.
Wherever there is still no validation for X-CSRF tokens, which there are be them scarce as they may, should have X-CSRF token validation added as soon as possible.
Better to not raise awareness of this vulnerability to people who might use it for malicious purposes while a fix is being made for it.
1 Like
This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.