Combatting Account Theft

Problem

Account theft (usually via cookie/token theft, bypassing 2-FA) is a serious issue on the Roblox platform. Currently all an attacker has to do is get you to click a suspicious link and bam! Your 2-FA has been bypassed and your account has been stolen.

This is nothing new, but recently the problem has gotten worse for the end-user. Roblox support does reimburse Robux or certain Limited Items if an account is compromised. However, Roblox support does not reimburse in-game items.

The vast majority of users on the Roblox platform do not own Limited Items and only own a very small amount of Robux. The real wealth held on these accounts is instead within certain games, such as Murder Mystery, Adopt Me or any other game with an in-game economy & trading system. Player’s accounts in these games can be worth hundreds of real world dollars, and attackers know this. Account theft has shifted from limit items to game-specific items, which they then transfer in-game to a new account and sell on 3rd party websites for money or Robux.

Since Roblox does not reimburse these items, and Developers are incapable of returning these items manually (due to high effort and a lack of tools to verify if an account has been compromised) the end result is an unhappy player who has lost all of their in-game items which they worked so hard to get.

What we are doing as developers right now

  • We have added a system to detect when an account may possibly be compromised, and if detected, limit their ability to trade for 3-7 days. This has a lot of false-positives and is not ideal with the current limited APIs exposed to developers.

  • We are planning to add a user-set 4 digit passcode. This would restrict certain actions such as trading or destroying items. This is not ideal either since users can forget their passcode and requiring every user in our game to create a passcode is a tall order.

Summary

  • Account theft is astonishingly easy, as easy as a single button click, yet Developers have no way of combating or detecting instances of theft due to Roblox’s strict API limitations.

  • We either need a way for Developers to detect potentially compromised accounts, or Roblox needs to implement limitations directly on accounts which they believe may be compromised.

  • Or best of all, Roblox could address how easy it is to bypass 2-FA by cookie stealing with Javascript!

31 Likes

Just a few proposed solutions Roblox could implement to help with this:

  • Ability for developers to prompt 2FA code check in-game (would pop up a CoreGUI where the user completes a 2FA cycle and the dev listens to an event server-side to check that the user completes the 2FA)

    • Could then use this to lock selling/trading in-game items until the user completes a 2FA check, or prompt it on high-value trades.
  • Providing a service to track ownership of in-game assets and have official API for trading between such assets. This way Roblox could build an interface for CS folks to inspect and modify in-game asset inventories in an event that they were maliciously transferred, similar to what they do for Limiteds.

  • Security setting on website to determine whether in-game trading is allowed, guarded by PIN/2FA. Games can read out this setting for the player with API and disable trading entirely if the user turned off the setting.

19 Likes

It should be noted that account theft is not as easy as you make it seem, and Roblox has been taking steps to prevent any serious damage from occurring if you do get compromised.

You cannot be compromised by simply clicking a link without a serious vulnerability in Roblox or your browser. While you should be cautious with what links you are clicking and there has been a history of said vulnerabilities, they do not currently exist to my knowledge and Roblox tends to resolve them fairly quickly.

Roblox has already addressed this issue and it is no longer possible to use the normal JavaScript method to obtain a user’s cookie. If you find a vulnerability that is still working and allows an attacker to obtain your cookie through JavaScript, you should report it through HackerOne.

Important actions such as trading already require TFA, and it is much harder to get compromised now as you have to either install malware or send the attacker your cookie. It is astronomically harder to get in-game items on a large scale, so these attacks would have to be targeted and require a lot of manual human work to pull off.

From my experience, these targeted attacks are hard to come by these days and it would be much more effective for Roblox to improve their moderation/filter to combat these attackers from compromising accounts in the first place. They mostly initiate their attacks using in-game chat/messages, so better filtering and spam detection would help prevent these automated attacks.

3 Likes