Cookie logging explained

Once the cookie is nabbed, they bypass all the security measures(not always true, some clever designs kept unauthorized access from happening even with cookie stolen). Cookies act like a token to remember your login specifically with a very, very long encrypted code for it. If that ends up in wrong hands, cookie thieves snatch your accounts. :slight_smile:

If the cookie logger is somehow still enabled on your device, the attacker can access the logged cookies on their machine from the inputs.

:warning: Beware, there’s a new cookielogging method

If you’re a discord user, you might often receive attachments in DMs. If you find something interesting, you might sometimes as well as click the “Open original” button. So there’s this new cookie logging method going around right now (confirmed by HiddenDevs staff members) - from you can get cookie logged if you press the “Open original” button of an attachment.

How most people falls for it is, someone sends you a .JPEG (or maybe other format) file that has very small unreadable characters in it which makes you interested in clicking the open original button to zoom and read. And when you press the button, you are cookie logged.

I would suggest you turning your DMs off from random people, and not clicking on any attachment you get photo whom you do not trust enough. If possible, don’t do it at all. Stay safe.


Hello there,

I recently watched @KonekoKittenWasTaken’s recent video on this subject and I would like to point out some things that are incorrect about this “security flaw”

XSS or Cross Site Scripting is not a real threat, back before HTTPS and server-side encryption was a mainstream thing, XSS or a back door was commonly found. But that was back in 2001-2005ish times, now all websites and web servers use the Advanced Encryption Standard which makes this basically impossible, even for very high end hackers. So this is not a threat at all and you will be ok with clicking an Open Original discord link.


1 Like

XSS attacks still exist, you just have to find a flaw in a webpage and boom, jackpot.

Roblox’s security may be decent enough, but no security will ever be perfect.

Example of an XSS attack: markdown to HTML.
So let’s say you create a markdown to HTML converter. Let’s say you allow URLs that can lead to anywhere - an attacker can prefix their url with javascript:. There’s the entrypoint. If someone clicks on that link, JS code can be run.

Though yeah, this “method” won’t log your cookies. It’s uploading to the Discord media server.


To add onto this, Self-XSS has been used to steal user’s robux. Lets take for example, limited sniper scam. These bits of code will not run unless a user runs it, hence the self part. If ran, then it would usually cause a user to buy a shirt/pants that they did not expect.

XSS (and Self-XSS) is a issue that still exist, and is something that’ll exist if you need an input from the user.

As you probably have heard, Never trust the client.

Side Note

Self-XSS is indeed XSS, but also social engineering. If a system were to be perfectly secure, it wouldn’t stop a person with permission to do bad actions. Lets take phishing for an example.

A user receive an email that looks like a warning from Roblox saying they won some amount of robux, and the email contains a button to log in, The user clicks on the button, and it takes them to a page that looks like Roblox’s login page, they put in their username and password and log in. They look at their robux, but don’t see an increase.

The user fell for a phishing email, and gave their login details to a bad actor.

Social engineering is hacking people, and just like websites, theres issues that allow you to get information from people you shouldn’t have.

1 Like

The word “just” is used as if it is easy to do so, flaws in website and webpage are practically obsolete due to the experience and skill of the cybersecurity experts that work at Roblox and Discord. Also, even if you give someone your .roblosecurity cookie, all you have to do is log out and back in again and that cookie gets scrambled and changes. So, a certain roblosecurity cookie will only last a very limited amount of time.

I… you mean “sign out on all devices”? If you log out and log back in with other devices still online, your ROBLOSECURITY is never reset. Evidence: you’re literally still logged on in the other devices

I may be wrong, but I believe that the computer’s MAC address is what Roblox uses to sign you in, as well as your ROBLOSECURITY cookie.

You don’t need to sign out of the app.

Like the Roblox app from the Microsoft Store, IOS, etc…

Cookies are session based, meaning if you were to log out of your account on the device that got logged
(for example your cookie got logged from your account on a firefox browser and you log out of it) the cookie becomes invalid.

if you log in to roblox from 2 different browsers and look at the roblox security code you’ll see that they’re different.

Cookie logging is literally just session hijacking. though the log out of all other devices is still a secure option to use before or after you log out and be certain but in theory it isn’t needed, practical wise it’s good to make a habit out of the next things:

  • use a strongly made password, generated if needed (don’t generate it with a website, just mash your keyboard or something or write your own generator)
  • log out of all your sessions every so often
  • change your password at least once a month or if it’s a really strong password which is generated less often but still change it once in a while
  • obviously don’t click any unknown links and research stuff before making moves (for example with the gfx logging scam)

I’ve been under the understanding that if I go to a suspicious link I am to log out of other sessions, log out and log back in, clear my browser cache, clear browser cookies, and clear browser history. After reviewing this post I am beginning to think this is a bit overkill. I’ve just been brought to a site offering “character skins” because Youtube decides that by clicking report ad, it also means I want to go to the website being advertised… Thanks Youtube! So really all that is needed is logging in and out and logging out of all other sessions, correct? I don’t want to sound misinformed, I am just quite paranoid about internet theft, and uninformed on the details of what can and can’t be sourced from browser data. Would you say my extra steps are unneeded?

Initially logging out of your current session is more than enough and pressing the log out of all other sessions is an extra step that you could take if you feel uncertain, Clearing browser history isn’t needed since that has no effect whatsoever.

Its still good practice to clear your cookies and browser cache every so often to ensure privacy matters (tracking cookies and what not) or to clear out cluttered data in case your browser starts to turn a bit slow.

In the long run there are some steps you really don’t need to do for this specific matter but in terms of overall performance and safety they aren’t unneeded with exception to the browser history one maybe, that’s a small cache with a link and name nothing more as far as my knowledge goes.

1 Like

Sorry when I’m late, so.when I tried cookie logging in Roblox, I’m very confused in what people says it automatically logs you in, well… It’s a different situation, when I try cookie logging in another of my account, and after I refreshed my Roblox page, wanna know what happens? It just logs me out in my Roblox account, I don’t know why.

Yup I got cookie hacked recently I was kinda mad Tbh he gave me a file and I installed it even after it said it was a virus file and then the guy told me to play Roblox and then the file just injected viruses into the game.
There’s a thing u gotta do if someone cookie hacks you from a file they receive all information you do so if you got hacked don’t try to go to websites that leak your bank details and stuff cuz they have access to all you do basically each and every info on your chrome browser is gone to them through a discord webhook.
And this Post really helped me a lot.

1 Like

If you were a victim of one of these hacks, since it is your own fault and you did technically willingly share your account password, is there any use in reporting it? Has anyone ever had their stuff given back to them after having this happen?

Roblox still would help you with your account no matter what. They probably get dozens of reports a day of kids falling for scams in which they ask for their password and they would still help them.

1 Like

Thank you for posting this so other people could have this info

Just dont click on random links and download randomstuff that right there should keep you from getting your cookie stolen

If we’ve fallen for one of these, what more can one do to protect themselves from any potential hack?

I just caught myself after accidentally having sent a cookie ID, luckily fast enough to find this thread and take as many actions as I can. I’ve changed my password, added a parent PIN to my account, logged out of all sessions, logged out of my main session, and relogged back in.
Besides these, are there any other ways I can go about to make sure I don’t get hacked?

Mainly to be wary of potential attackers trying to get into your account.
You’ve already taken the needed measurements to prevent any (further) damage so you should be fine for now.

Note that Roblox is currently working on an A/B test to invalidate a cookie if the IP no longer matches with the linked cookie (as far as I’ve heard from people at least, so take this with a grain of salt). I don’t know if this is fully released yet though more safety around accounts seem to be coming our way soon or later.


i have a question, i am making a Roblox game where i am asking player a free random cookie.

i gave them a warning about sending their cookie.
and the question i have, will i get banned from Roblox if i release this game, i am just giving them a warning so i shouldn’t be warning. i am not a scammer and i am not trying to scam.