Crack down on malicious plugins on the site

As a Roblox developer, it is currently too hard to differentiate plugins and assets that are malicious from ones that are not.

Over the past year, we have seen thousands of malicious plugins appear on Roblox. Users are creating groups named after well-known devs and are uploading malicious content under them.

More Examples

[Content Deleted 11442251] - Roblox

Screen Shot 2021-07-14 at 12.39.55 PM

Screen Shot 2021-07-14 at 12.40.04 PM

This is a huge issue as it’s impossible to tell if the plugin is the real deal without doing some research.
There are many new developers out there that don’t notice these plugins aren’t real and end up with malicious code in their games.

I opened the library today hoping to find some more useful plugins. Turns out EVERY single plugin displayed is fake and likely malicious.

Some ways this issue could be resolved include, only featuring plugins that have been on the marketplace for over a couple of months preventing fake plugins from ending up on the front page, another way this can be resolved is if creating groups named after a user were prohibited. For example, if someone wanted to make a group including my name they would not be able to, only the user with that username could. There could also be a verification badge displayed next to real plugins that would easily help differentiate fakes.

If Roblox were to address this issue, this would not only help developers from knowing their plugins are safe but also help developers and average users to be able to easily find assets and resources they need without having to worry about them being malicious.

121 Likes

This is absolutely ridiculous. Handles should be stripped from all groups immediately, it’s hard to believe Roblox didn’t see this one coming. Why go through all the trouble of distinguishing users from groups when groups can mimic an user with a single extra character!?

33 Likes

The fact that malicious plugins can get to the front page is unacceptable: that kind of thing should be checked all the time.

Some basic checks could be implemented at the very least - pretty much every malicious plugin there is uses getfenv and some form of require, for example.

Another way to temporarily fix the issue would be to verify some plugin developers and make their plugins appear on the front page, and have non verified plugins display a warning.

But I think there is a bigger issue at hand: assets are so easy to bot(from the looks of it), which means that assets like these can get to the top fairly quickly without much effort. Not only is this an issue in the Plugins tab, but is also an issue in pretty much every other tab.

tl;dr: the toolbox in general is criminally underchecked and assets are too easy to bot to the front page

19 Likes

The handle could be replaced with a different-colour-to-text icon that is visually distinct to any emoji - preferably one which also has a HTML title.

Alternatively, Roblox can go the twitter route and prohibit the @ symbol from being in a group name; but this can be easily bypassed through Unicode.

9 Likes

I’ve compiled a spreadsheet on the top six plugins, and all of them, go figure, are malicious

Basically, if it’s a group (and it’s name is not metatablecat), don’t install it
image

23 Likes

This is a serious and dangerous issue that requires simular treatment to display names plus more, with harsh checking and filtering. Anything close to any disallowed MUST go via human review or just straight up denied.

I should not be required to fork out Robux because Roblox is not taking action to minimise it.

For people like @Elttob who spend Robux on groups with both without and with the @ in their username. ONE Cyrillic o failed to protect these critical users, the only way is to check the link that the owner is from if it’s from a group or not.

It is critical Roblox takes time to stamp out these kind of bypasses in a proactive way that does not introduce harm. The fact that these mallicious actors are now at the top of the relevant search (first sort for the library) is scary. The top 2 in that sort are not owned by the original authors.

Of the top 42 on the front page, 18 are NOT owned by users. See what @metatablecatmaid has reported above and below.

24 Likes

18 of the 42 plugins on the front page (the majority being at the top) are groups with an “@” in the name. I highly suspect these are all malicious.

8 Likes

I’m just thinking of all the new devs who have no idea that their games have these destructive back doors or bugs introduced. It happens fairly often in #help-and-feedback:building-support that a new dev will be told “you’re using the wrong plugin. Here’s the real one.”

Talk about a serious barrier to entry for new devs - something Roblox cares a lot about.

21 Likes

I like how the toolbox only shows endorsed/trusted plugins, however this blocks out genuine plugin devs who aren’t as well known (cough).

The Library still has the same exploits that the shirt/pants catalog has.

3 Likes

This is a serious problem - not just because my name’s up there (pretty flattering, actually), but because this is compromising people’s trust in my plugins and my branding which I work very hard to build and maintain.

If you’re looking to install plugins, I advise you stick to the DevForum. It’s much more solidly moderated because it’s not overwhelmed by malicious plugins. You can find authentic links to my plugins here:

Reclass-Convert ReclassImiji-x32 ImijiAtmos-Pro AtmosPick-Pro-x32 PickInCommand-Dark-x32 InCommand

26 Likes

The fact that group names weren’t considered alongside the display name feature is upsetting. There needs to be a review of what group names are suitable, because to the beginner developer, a malicious plugin would look identical to the real one. This is more than just a “content-delete-the-groups-and-move-on” scenario, there needs to be a serious re-evaluation of group names completely, to prevent any malicious acts like this from happening again.

16 Likes

Not just newer devs too, in Studio it’s pretty hard to identify who created the plugin, even when it shows the group name. I always have to take extra steps to making sure that I’m downloading the correct plugins or it’ll start the snowball effect in my game. It’s quite stressful at times too. Roblox should be doing some sort of “verified” plugins or just outright creating a system to remove harmful plugins.

Not to mention, if you do download a harmful plugin, it’s not fun at all when you have to go through every script to find the suspicious looking one, to which you may miss.

10 Likes

Given how the Studio application has a launch argument for installing plugins (i forgot what it was exactly), it might be possible to make a third-party plugin hosting site that stays in line with Roblox’s TOS, but has community-based moderation.

If you want to install a plugin from a web browser, the protocol is:
roblox-studio://1+launchmode:plugin+pluginid:ID

This doesn’t work, needs an authentication ticket which makes sense.

For you nerds who can try and make it work:

roblox-studio:1+launchmode:plugin+gameinfo:XXXXXXXX+launchtime:1626286044764+pluginid:6118449317+avatar+browsertrackerid:XXXXXXXX+robloxLocale:en_us+gameLocale:en_us+channel:
6 Likes

One possible mitigating feature I came up with was keeping some lists of ‘visually interchangeable’ Unicode characters and adapting the group name availability checker to reject group names with visually interchangeable characters as the only differences.

I don’t know if it’s really viable unfortunately - it could be a lot of effort to construct those lists, there could be potential issues with other locales and it’s kind of hard to draw a solid line on what counts as ‘visually similar’. On the technical side of things, it could complicate the setup, depending on how Roblox has set up their databases.

I do agree though that something more impactful has to be done about this beyond simply reporting malicious groups that pop up.

6 Likes

I’d say implement a permission prompt if the plugin attempts to use require(id)

6 Likes

New developers to Roblox (whether they’re industry professionals, or complete beginners) will inevitably install these malicious plugins thinking they’re legit. It’s a bad look.
Also, in light of this new method of impersonation, they should probably prevent us from creating groups starting with @

7 Likes

Malicious plugins are not a new concept, Roblox knows about them, and took into consideration when they allowed plugins to be on sale for Robux. That’s why the in-studio toolbox only shows plugins that have been reviewed first. However new plugin creators dont have their plugins show in the toolbox quickly enough so they post on devforum and other places like Youtube to get the word out. But that can be exploited since they have to install the plugin from the plugin’s webpage and not in studio which bypasses the plugin review checks.

There is no warning that a plugin you are about to install has not been reviewed yet, which is indeed an oversight, especially when malicious content creators are abusing the display name feature by adding [@ popular plugin creator name here] in the groups name. Was just talking about this in another thread the and other day: [ Virus in plugins ] and yes most of the top plugin creators know about these things since its been going on for years.

All we can really do right now is report the plugins, the modules they require, and the creator/group that owns them. And hopefully Roblox swiftly takes them down and implements more security measures in the near future.

Why was the @ symbol even allowed in the group names in the first place, especially as the first character. Definitely an oversight, one in which I hope gets fixed really soon. Until then, Only trust plugins from the Toolbox or otherwise a good review on devforums.

1 Like

If you want a good example as to how ridiculous this has gotten, here you go. All of these are still existing on the site:


As far as I can tell, nearly every single one of those 2,247 results is a reuploaded malicious version of my plugin. I dug through a few of them and found some encrypted code that they try to disguise as some sort of “plugin icon fix”. All of these reuploads use the same thumbnail and were uploaded at around the same time, so I think it’s safe to assume that practically all of them were set up exactly the same way (i.e. all malicious) and mass-uploaded.

17 Likes

This is a serious issue and places could easily get stolen via HTTPservive and allowing script injection. Please Roblox we can do better.

8 Likes

Once I actually had an idea to make a site like npm but for Roblox stuff. You would be able to install plugins and libraries easily but everything would require a review before being available.

It seems like my idea finally has some use.

5 Likes