As a previous victim of something similar a very long time ago (malicious Chrome extension), I know how frustrating and easy it is for someone to fall for the tricks of these attackers. Although it may seem blatantly obvious, it sometimes isn’t as easy if you’re unaware of the ways these people work.
I’m glad this post exists as it can act as guidance to people who are unaware of the tactics used. And also, I’ve seen a lot of people falling for fake extensions that were made to look like widely used ones (e.g. Roblox+), and as a result, they lost their accounts. Linking them directly in this topic was a good idea.
This post is awesome. Glad to see an explanation of cookie logging, especially given the sudden spike over the weekend of several high-profile developers getting their accounts compromised.
That being said, the best form of protection is common sense. Don’t click on suspicious-looking links, Roblox staff won’t message you on Roblox only to ask you to continue the correspondence on Discord, etc.
Just yesterday, my friend and client Zaytuls got cookie logged. He owns a 59,000 member group and had he sent the .har file from his holder account (he sent the .har file from his main account, not the holder) , his group would’ve been stolen and lost more than 40K in funds.
This topic isn’t covered enough anywhere so I’m glad there’s a topic discussing this.
I have been cookie logged before and I can tell that roblox proceeds to terminate really quickly the hackers who do it, I’m really happy with how roblox proceeds and I even got my account back after.
A great way to prevent damages from cookie logging is to add an account pin to your settings. This prevents anyone with access to your account, for example, changing your email, and prevents someone with access to your account from locking you out with their own pin. I would really recommend this to everyone because it’s a huge step up from two step since it means anyone with your account must know your pin to change your settings.
I agree that the pins are a great system, but I would really like to see them be utilised for things such as changing group owner’s and paying out Robux from groups too. Currently, anyone who gains access to your account can steal a group and all of its funds without any prior verification, which has massive ramifications if your group contains a lot of members or funds.
As a additional note about email, i must insist that having cookie leaks is obviously “beyond” just roblox-related contents, having your email + username altogether leaked could occur literally in any website you happen to register both of these informations somewhere.
Generic advise to feel safe knowing that, you verify by yourself
how your email host’s account recovery works, and what is required ?
for example, with Outlook, you can actually attempt a recovery request even though you lost both your password and the phone number linked to the account, you need to send several unusual questions too, such as “What is the ID of your Xbox ?” (i believe you also need to be on the secondary mail list, fortunately), but i was still compromised with 448,000 R$ and 1.5M RAP, now a year ago.
can’t tell why, i couldn’t manage to find how, but either way, it’s like a Hard disk, you gonna make a backup of it before it suddently vanish one day.
Just a heads up to the less tech savvy people, HAR is short for HTTP Archive file. When you send any request to any endpoint (assuming you’re logged in) on any platform, there’s normally some kind of authorization token in the header that lets you perform actions. For Roblox, it’s the .ROBLOSECURITY cookie. For each request you send, you can get an HAR file that shows what happened during the request and which headers were sent. If your HAR file ends in the wrong hands they see that .ROBLOSECURITY token. With that, they can swap out cookies on their browser or they can use an API wrapper to automate actions like buying a shirt and taking all your Robux. Keep in mind, this applies anywhere. Discord in particular has tokens, equivalent of the .ROBLOSECURITY, and you can wreak havoc the same way. It should be a rule of thumb to just not send anyone any files that you don’t understand (even if you change the ending of the file name).
I think with stuff like this is that you just need common sense.
The best anti-virus is common sense. I don’t even run an anti virus. I don’t need to. Windows defender does a perfectly fine job because I don’t go to dodgy websites looking for viruses.
It’s the same case here, don’t get dodgy chrome extensions and don’t click dodgy links. 99.9999% of the time if you were cookie logged its because you didn’t think before you clicked (just came up with that saying maybe itll stick). That’s pretty much all there is to it.
I love this post, I really do, great job @VoidedBIade.
Quick tip for anyone freaking out right now in the future, and you feel someone stole your cookies:
LOG OUT AND LOG BACK IN, THIS WILL RESET YOUR ROBLOSECURITY, RBXID, and RBXSESSION.
It also helps to sign out of all sessions too. Once the ROBLOSECURITY and RBXID is bad, they can’t get back into their account, unless they can reset your password with email verification or phone verification.
If they stole any items worth value, aka 15k robux or more, email roblox to get your account rolled back. If you lost access to your email provide builders club / robux purchase proof that you own the account. Roblox Support WILL help you despite what your friends tell you. Don’t waste your one time rollback on on some hats that are only worth 1k robux because its not worth it.
While you can, be proactive and save 1 or 2 purchase receipts, or emails confirming that you made a purchase on Roblox.
Why do I know so much? I got cookie logged in May of 2015 and lost around 12,000 Robux worth of limiteds, and I did my research and now I’m educated and happy to share this info with everyone else!
TL;DR
Save 1 or 2 purchase receipts, or emails confirming that you made a purchase on Roblox. (right now while you can)
Sign out of all sessions if you believe someone has your cookies.
If you lost limiteds or Robux worth 15,000 robux or more, email roblox and request a rollback. Include your username, and one or two purchase receipts to verify that its you. (If they don’t work, there are other options like:
First or the creation email address associated with the account.
Original billing email address associated with the account.
Earliest/oldest purchase receipt of items purchased from the account.
Game card 10 digit PIN purchased from the account.
Notify your friends on Roblox that your account has been compromised and disregard any actions that took place in ~24 hours.
Additionally once you’ve logged out of the session you’re currently logged into you can log in again, go into your settings, and log out of all sessions at once which invalidates every existing ROBLOSECURITY token.
There’s also a new scam going around, regarding a “limited sniper,” If someone tells you to put a suspicious link on a specific ROBLOX page, for example Javascript:URL Don’t do it, as it literally pastes code into your console for cookie loggers to obtain your ROBLOXSECURITY cookies and cookie log you.
Yep! Pasting anything with javascript: at the beginning will run javascript code just like if you put it into the console. This is a way that some pages use to run javascript when clicking links (you’ll often see something like javascript: void(0); as well which is basically saying "do nothing when clicked’)
This is referred to as bait, where malicious users will offer something of value to the player in exchange to gain their trust. Once they’ve gained your trust, after x amount of time has passed they’ll breach the account when you’ll least expect it.
If a 3rd party software or extension has been marketed at Roblox, and if the developer in question lacks any creditability than proceed with caution. One slip up is all that’s needed in order to be compromised, I’ve known of Malicious users in the past that would monitor their screens daily because it was their only source of income. Yes people do unfortunately use theft as a way of gaining financial stability
I’m not sure if this is anything related to what I am going through, but I have removed my cookies as of now and a couple of days ago.
Currently, I have been dealing with a persistent individual or bot of some sort that is getting Roblox to disable my 2-step verification without any prior email or any changes other than that. Upon going to Roblox, my account is locked out and the original email or password do not work. By using my phone number to regain access, I can clearly see that someone has gained FULL ACCESS to my account to change my password and the email. This has occurred twice now where they gained full access to my account.
I have never dealt with anything like this before in my 12-years of playing. Could this be someone that cookie logged me? I also use Firefox so not sure if there is something else about the browser.
Two of my friends have unfortunately been cookie logged with one losing over 500k worth of robux and another losing 20k. This thread will help to raise awareness but I feel as if the message should be spread further across other sites.
Chances are that you have been cookie logged as cookies basically ignore 2-step. you might want to check your add-ons and uninstall any suspicious/unreliable add-ons
Only extension I have is AdBlock, had that before any of this started. I’m assuming I clicked a link from a Roblox email thinking it was a real help ticket reply that logged me (just a hunch so far). At least I can thank you for the post, really offered me an idea as to what it is I’m dealing with currently.
Like what I said here, make sure when you get access to your account agian, you go to your settings and sign out of all sessions, which will invalidate all session information.
Late reply, my apologies. With how cautious I have been for the past month and a half, I have successfully overcome any cookie loggers or whatever was tampering with my account(s). I have been frequently clearing any Roblox related data from my cache which seems to have halted all attempts. And yes, also signing out of all sessions just in case.