Cookie logging explained

If I get your question right, yes.

Which question are you referring to?

Guys if you are reading this, please read fully.

@VoidedBlades is truly a good person for writing this. I wish I had seen it before I had done some stuff, because I have just been hacked and lost around 37k robux.

I’m encouraging you, strongly encouraging you, to read the entire thing. Don’t worry about how long it takes, know that you’ll be safe after.

Take me as an example of someone who didn’t.


That’s a pro tip, because the javascript method gets your Roblosecurity which is what is used to log in. If you keep signing out of all sessions, it won’t do anything. You’ll have to change your password or log out and log in to truly kick them out.

1 Like

Few questions

Can you get cookie logged for the roblox app? (On PC and Mobile)
Lets say I use chrome for roblox but I click on a scam link on microsoft edge could I get cookie logged?
What happens if you get cookie logged?

I asked the 3rd because I am not 100% sure but one day I went on to my roblox account and roblox put up a whole warning screen demanding that I change my password or they won’t let me log in my account.

there are possibly ways to get logged through there as nothing is 100% safe whatsoever. I however am not aware of those methods, only of the web based methods

as far as my knowledge goes you won’t get logged through that. This has to do with cookies getting cached under a different directory than the affected browser.

Cookies are basically your unique user identification code. This code allows loggers to “log in” to your session and hijack it, circumventing as good as any type of 2fa/security you had enabled. The simplest way to get them out is to log out of all sessions, a button is located in settings for that. That is if they are at the same time in it as you.

Your cookie remains valid until you log out so make it common practice to log out and log back in once in a while just to be sure or to set yourself up in such a secure way there’s a really small chance to get compromised (still suggest doing both of those)

I have never heard of this before so I cannot give any input/info on this other than it possibly being malicious. But don’t take that statement with a grain of salt.

1 Like

Hey so, That happened yesterday (I almost lost my account to be honest but like after 10 mins chatting to that person I go back to roblox and refresh noticing my robux are gona and changed my password and all It didn’t even notify to my email that someone got in) and I already sent Roblox support to get my stuff back well, my Robux and group. Is it even possible to get it back?

And If they still have the .HAR file can they still get in your account? Is there really no escape? If there is please tell me since I’m still kinda worrying

1 Like

I might have gotten cookie logged, is there any way to know if it has happened to my account(s)?

as far as I know the HAR file becomes invalid when you refresh your session (log out of all sessions + the one you’re in).

if you suspect that you might have been logged take the appropriate measures, even if it ends up being a false positive. Clear all your sessions (by logging out & pressing log out of all other sessions in the settings) and change your password to be certain.


I have a questions:
• Can you still got hacked by a cookie logger even you have 2f step verification?

Once the cookie is nabbed, they bypass all the security measures(not always true, some clever designs kept unauthorized access from happening even with cookie stolen). Cookies act like a token to remember your login specifically with a very, very long encrypted code for it. If that ends up in wrong hands, cookie thieves snatch your accounts. :slight_smile:

If the cookie logger is somehow still enabled on your device, the attacker can access the logged cookies on their machine from the inputs.

:warning: Beware, there’s a new cookielogging method

If you’re a discord user, you might often receive attachments in DMs. If you find something interesting, you might sometimes as well as click the “Open original” button. So there’s this new cookie logging method going around right now (confirmed by HiddenDevs staff members) - from you can get cookie logged if you press the “Open original” button of an attachment.

How most people falls for it is, someone sends you a .JPEG (or maybe other format) file that has very small unreadable characters in it which makes you interested in clicking the open original button to zoom and read. And when you press the button, you are cookie logged.

I would suggest you turning your DMs off from random people, and not clicking on any attachment you get photo whom you do not trust enough. If possible, don’t do it at all. Stay safe.


Hello there,

I recently watched @KonekoKittenWasTaken’s recent video on this subject and I would like to point out some things that are incorrect about this “security flaw”

XSS or Cross Site Scripting is not a real threat, back before HTTPS and server-side encryption was a mainstream thing, XSS or a back door was commonly found. But that was back in 2001-2005ish times, now all websites and web servers use the Advanced Encryption Standard which makes this basically impossible, even for very high end hackers. So this is not a threat at all and you will be ok with clicking an Open Original discord link.


1 Like

XSS attacks still exist, you just have to find a flaw in a webpage and boom, jackpot.

Roblox’s security may be decent enough, but no security will ever be perfect.

Example of an XSS attack: markdown to HTML.
So let’s say you create a markdown to HTML converter. Let’s say you allow URLs that can lead to anywhere - an attacker can prefix their url with javascript:. There’s the entrypoint. If someone clicks on that link, JS code can be run.

Though yeah, this “method” won’t log your cookies. It’s uploading to the Discord media server.


To add onto this, Self-XSS has been used to steal user’s robux. Lets take for example, limited sniper scam. These bits of code will not run unless a user runs it, hence the self part. If ran, then it would usually cause a user to buy a shirt/pants that they did not expect.

XSS (and Self-XSS) is a issue that still exist, and is something that’ll exist if you need an input from the user.

As you probably have heard, Never trust the client.

Side Note

Self-XSS is indeed XSS, but also social engineering. If a system were to be perfectly secure, it wouldn’t stop a person with permission to do bad actions. Lets take phishing for an example.

A user receive an email that looks like a warning from Roblox saying they won some amount of robux, and the email contains a button to log in, The user clicks on the button, and it takes them to a page that looks like Roblox’s login page, they put in their username and password and log in. They look at their robux, but don’t see an increase.

The user fell for a phishing email, and gave their login details to a bad actor.

Social engineering is hacking people, and just like websites, theres issues that allow you to get information from people you shouldn’t have.

1 Like

The word “just” is used as if it is easy to do so, flaws in website and webpage are practically obsolete due to the experience and skill of the cybersecurity experts that work at Roblox and Discord. Also, even if you give someone your .roblosecurity cookie, all you have to do is log out and back in again and that cookie gets scrambled and changes. So, a certain roblosecurity cookie will only last a very limited amount of time.

I… you mean “sign out on all devices”? If you log out and log back in with other devices still online, your ROBLOSECURITY is never reset. Evidence: you’re literally still logged on in the other devices

I may be wrong, but I believe that the computer’s MAC address is what Roblox uses to sign you in, as well as your ROBLOSECURITY cookie.

You don’t need to sign out of the app.

Like the Roblox app from the Microsoft Store, IOS, etc…

Cookies are session based, meaning if you were to log out of your account on the device that got logged
(for example your cookie got logged from your account on a firefox browser and you log out of it) the cookie becomes invalid.

if you log in to roblox from 2 different browsers and look at the roblox security code you’ll see that they’re different.

Cookie logging is literally just session hijacking. though the log out of all other devices is still a secure option to use before or after you log out and be certain but in theory it isn’t needed, practical wise it’s good to make a habit out of the next things:

  • use a strongly made password, generated if needed (don’t generate it with a website, just mash your keyboard or something or write your own generator)
  • log out of all your sessions every so often
  • change your password at least once a month or if it’s a really strong password which is generated less often but still change it once in a while
  • obviously don’t click any unknown links and research stuff before making moves (for example with the gfx logging scam)