CreatorStoreService:performCreatorStorePurchase() doesn't include the USD price of a purchasable plugin in the body of the POST Request

Bug Reports Engine Bugs
,
1

In both Roblox Studio and the Windows Roblox Client, calling the function CreatorStoreService:PerformCreatorStorePurchase() will send an HTTP POST request to the API https://apis.roblox.com/marketplace-fiat-service/v1/product/purchase but will not include the correct USD price of a Plugin that is put on sale in the Creator Store.

image
image1920Ă—759 104 KB

{E8DAFCBF-1A8B-4F92-ADB2-BBFCF9FCAC46}
{E8DAFCBF-1A8B-4F92-ADB2-BBFCF9FCAC46}1194Ă—178 13.3 KB

Code used in Studio:

warn(game:GetService("CreatorStoreService"):performCreatorStorePurchase(14328968969, "Plugin"))

In Client:

table.foreach(game:GetService("CreatorStoreService"):PerformCreatorStorePurchase(14328968969, "Plugin"), warn)

Roblox Client Version: version-ff05edc617954c5b
Roblox Studio Version: version-5b7be25be0304ad6 (v0.672.0.6720706)
Plugin used for demonstration: https://create.roblox.com/store/asset/14328968969/VFX-Suite

Information of the request that the function sends to the API:

POST https://apis.roblox.com/marketplace-fiat-service/v1/product/purchase HTTP/1.1
Host: apis.roblox.com
Accept: */*
Cookie: (removed for safety)
Cache-Control: no-cache
Connection: keep-alive
User-Agent: RobloxStudio/WinInet RobloxApp/0.672.0.6720706 (GlobalDist; RobloxDirectDownload)
Roblox-Game-Id: 48c1be5b-fcd0-4d8c-bd4d-52114043c9d5
Roblox-Universe-Id: 5978449051
Roblox-Place-Id: 17468158535
PlayerCount: 1
Requester: Client
Content-Type: application/json
traceparent: 00-d898b829bc0007874f947776bad90572-e855b8cb17ed2689-00
X-CSRF-TOKEN: pJ0aC+2YJGmA
Content-Length: 230

Body:
{
    "productKey": {
        "productNamespace": "PRODUCT_NAMESPACE_CREATOR_MARKETPLACE_ASSET",
        "productType": "PRODUCT_TYPE_PLUGIN",
        "productTargetId": "14328968969"
    },
    "expectedPrice": {
        "currencyCode": "USD",
        "quantity": {
            "significand": 0,
            "exponent": 0
        }
    }
}

Expected behavior

The function is supposed to initiate a successful purchase by including the correct USD price of a Plugin to the HTTP request, like:

{F384D707-90E7-42B7-9CA7-2D57543D3177}
{F384D707-90E7-42B7-9CA7-2D57543D3177}917Ă—176 7.99 KB

1 Like
2

This bug is still present in the new Roblox Studio update (v0.673.0.6730711) version-012239e64a274975. I believe that this is an important bug that requires immediate fixing, as the function quite literally does not work at all.

This function used to work on Plugins that used to cost robux in the Creator Store, but now all Plugins that used to cost Robux are now put off sale, and has left the “Drainer Drainer 123" project unable to drain the robux of exploiters. Looking forward to draining credit cards in the future!

3

I can’t seem to find any documentation on this service, are you sure Roblox even wants developers to use this service? I don’t think they’ll fix this

1 Like
4

Roblox does not intend for it to be used by developers in their games, but it still is a valid bug report nonetheless. While it is not intended to be used in games, it is still intended to be used in Lua code and the function serves a purpose which it does not correctly do.

Fun fact: This service has a big chance of being publicly available and will be able to be used by game developers in the future. There may be an upcoming :PromptCreatorStorePurchase() function of CreatorStoreService in the future. There are services which Roblox actually do not intend to be used in Lua code and is probably only usable internally in their C++ codebase, such as MLWorkflowOrchestratorService!

MLWorkflowOrchestratorService::DownloadWorkflowJobResult(workflowId: string, url: string)
MLWorkflowOrchestratorService::GetWorkflowJob(workflowId: string, query: string)
MLWorkflowOrchestratorService::RequestWorkflowJob(unknown_param: string, prompt: string, unknown_param2: {[string]: any}, unknown_param3: {[string]: any}): string (this is apparently JSON encoded)
MLWorkflowOrchestratorService::SerializeModel(model: string)
MLWorkflowOrchestratorService::RateWorkflowResult(workflowId: string, userId: number, rating: number)
5

I dont know if im missing something, but it looks like you have shown yourself exploiting in roblox to test the function. I can also tell by the line at the top with the warning, as i think it comes from xeno. Idk what “falcon” is but if there was a vuln to get corescript permissions in a roblox game then it would be already patched as it poses huge risks (like cookie stealing)