Cookie logging explained

As a additional note about email, i must insist that having cookie leaks is obviously “beyond” just
roblox-related contents, having your email + username altogether leaked could occur literally in any website you happen to register both of these informations somewhere.

Generic advise to feel safe knowing that, you verify by yourself
how your email host’s account recovery works, and what is required ?

for example, with Outlook, you can actually attempt a recovery request even though you lost both your password and the phone number linked to the account, you need to send several unusual questions too, such as “What is the ID of your Xbox ?” (i believe you also need to be on the secondary mail list, fortunately), but i was still compromised with 448,000 R$ and 1.5M RAP, now a year ago.

can’t tell why, i couldn’t manage to find how, but either way, it’s like a Hard disk, you gonna make a backup of it before it suddently vanish one day.

14 Likes

Just a heads up to the less tech savvy people, HAR is short for HTTP Archive file. When you send any request to any endpoint (assuming you’re logged in) on any platform, there’s normally some kind of authorization token in the header that lets you perform actions. For Roblox, it’s the .ROBLOSECURITY cookie. For each request you send, you can get an HAR file that shows what happened during the request and which headers were sent. If your HAR file ends in the wrong hands they see that .ROBLOSECURITY token. With that, they can swap out cookies on their browser or they can use an API wrapper to automate actions like buying a shirt and taking all your Robux. Keep in mind, this applies anywhere. Discord in particular has tokens, equivalent of the .ROBLOSECURITY, and you can wreak havoc the same way. It should be a rule of thumb to just not send anyone any files that you don’t understand (even if you change the ending of the file name).

:pray: for writing a post about this @VoidedBIade

20 Likes

I think with stuff like this is that you just need common sense.

The best anti-virus is common sense. I don’t even run an anti virus. I don’t need to. Windows defender does a perfectly fine job because I don’t go to dodgy websites looking for viruses.

It’s the same case here, don’t get dodgy chrome extensions and don’t click dodgy links. 99.9999% of the time if you were cookie logged its because you didn’t think before you clicked (just came up with that saying maybe itll stick). That’s pretty much all there is to it.

8 Likes

I love this post, I really do, great job @VoidedBIade.

Quick tip for anyone freaking out right now in the future, and you feel someone stole your cookies:

LOG OUT AND LOG BACK IN, THIS WILL RESET YOUR ROBLOSECURITY, RBXID, and RBXSESSION.

It also helps to sign out of all sessions too. Once the ROBLOSECURITY and RBXID is bad, they can’t get back into their account, unless they can reset your password with email verification or phone verification.

If they stole any items worth value, aka 15k robux or more, email roblox to get your account rolled back. If you lost access to your email provide builders club / robux purchase proof that you own the account. Roblox Support WILL help you despite what your friends tell you. Don’t waste your one time rollback on on some hats that are only worth 1k robux because its not worth it.

While you can, be proactive and save 1 or 2 purchase receipts, or emails confirming that you made a purchase on Roblox.

Why do I know so much? I got cookie logged in May of 2015 and lost around 12,000 Robux worth of limiteds, and I did my research and now I’m educated and happy to share this info with everyone else!

TL;DR

  1. Save 1 or 2 purchase receipts, or emails confirming that you made a purchase on Roblox. (right now while you can)
  2. Sign out of all sessions if you believe someone has your cookies.
  3. If you lost limiteds or Robux worth 15,000 robux or more, email roblox and request a rollback. Include your username, and one or two purchase receipts to verify that its you. (If they don’t work, there are other options like:
  • First or the creation email address associated with the account.
  • Original billing email address associated with the account.
  • Earliest/oldest purchase receipt of items purchased from the account.
  • Game card 10 digit PIN purchased from the account.
  1. Notify your friends on Roblox that your account has been compromised and disregard any actions that took place in ~24 hours.

Hope this helped someone in the future!

28 Likes

Additionally once you’ve logged out of the session you’re currently logged into you can log in again, go into your settings, and log out of all sessions at once which invalidates every existing ROBLOSECURITY token.

5 Likes

There’s also a new scam going around, regarding a “limited sniper,” If someone tells you to put a suspicious link on a specific ROBLOX page, for example Javascript:URL Don’t do it, as it literally pastes code into your console for cookie loggers to obtain your ROBLOXSECURITY cookies and cookie log you.

11 Likes

Yep! Pasting anything with javascript: at the beginning will run javascript code just like if you put it into the console. This is a way that some pages use to run javascript when clicking links (you’ll often see something like javascript: void(0); as well which is basically saying "do nothing when clicked’)

6 Likes

This is referred to as bait, where malicious users will offer something of value to the player in exchange to gain their trust. Once they’ve gained your trust, after x amount of time has passed they’ll breach the account when you’ll least expect it.

If a 3rd party software or extension has been marketed at Roblox, and if the developer in question lacks any creditability than proceed with caution. One slip up is all that’s needed in order to be compromised, I’ve known of Malicious users in the past that would monitor their screens daily because it was their only source of income. Yes people do unfortunately use theft as a way of gaining financial stability

6 Likes

I’m not sure if this is anything related to what I am going through, but I have removed my cookies as of now and a couple of days ago.

Currently, I have been dealing with a persistent individual or bot of some sort that is getting Roblox to disable my 2-step verification without any prior email or any changes other than that. Upon going to Roblox, my account is locked out and the original email or password do not work. By using my phone number to regain access, I can clearly see that someone has gained FULL ACCESS to my account to change my password and the email. This has occurred twice now where they gained full access to my account.

I have never dealt with anything like this before in my 12-years of playing. Could this be someone that cookie logged me? I also use Firefox so not sure if there is something else about the browser.

7 Likes

Two of my friends have unfortunately been cookie logged with one losing over 500k worth of robux and another losing 20k. This thread will help to raise awareness but I feel as if the message should be spread further across other sites.

6 Likes

Chances are that you have been cookie logged as cookies basically ignore 2-step. you might want to check your add-ons and uninstall any suspicious/unreliable add-ons

3 Likes

Only extension I have is AdBlock, had that before any of this started. I’m assuming I clicked a link from a Roblox email thinking it was a real help ticket reply that logged me (just a hunch so far). At least I can thank you for the post, really offered me an idea as to what it is I’m dealing with currently.

3 Likes

Like what I said here, make sure when you get access to your account agian, you go to your settings and sign out of all sessions, which will invalidate all session information.

4 Likes

Late reply, my apologies. With how cautious I have been for the past month and a half, I have successfully overcome any cookie loggers or whatever was tampering with my account(s). I have been frequently clearing any Roblox related data from my cache which seems to have halted all attempts. And yes, also signing out of all sessions just in case.

Much obliged for all your help guys!

3 Likes

Simple rule:

Inspect Element = Scam

18 Likes

In October 2019, my account were stolen using this technique. However I have not figured out how it was actually done as I never opened any files, neither did i have any extensions. Sad that I lost it, had alot of scripts and models i made that has come to a waste now. But from that, i have started taking backups locally stored on my personal cloud I made with a RPi. Hope this can somehow be prevented in the future tho…

4 Likes

Heavily agree with NINJAMASTR999, thanks for this post dude you’re protecting a lot of the community from this, good explanation on cookie logging but don’t forget to also add looking for that “0 kb” File, 0 kb files are often cookie loggers since everything in it is just a copy & pasted code that steals their cookies and cache info. Very well explained though, thanks for this amazing post.

2 Likes

This is fun and games till a 0day hits you

3 Likes

An overpriced anti-virus isn’t going to protect you from a 0 day exploit. Depending on what the exploit is for, these programs will not protect you from something that exploits a vulnerability rooted in Windows itself; that’s just not how it works.

Most of these anti-viruses can just be considered bloatware. They just spam you with annoying notifications and do the exact same thing as Windows Defender. It all comes down to you not being an idiot online. If you know you’re doing dodgy stuff then use a VM. Don’t go pirating stuff on native Windows, that’s just stupid.

3 Likes

This is what happened with WannaCry and everyone got hit. Malwarebytes was one of the few anricheats that its heuristics caught wc from the beginning and minimized the spread.

2 Likes