Brief Description:
Using the support system for Roblox, allows you to enter anybody’s email. Let’s use a YouTuber for example, let’s say you really don’t like them. If they have their business email publicly available, and is linked on their YouTube channel, and is linked to their Roblox account, ANYBODY could use their email, make a ticket for Roblox support sending a threat, and get them banned.
Here’s an example:
Let’s say this is KreekCraft’s email: iamkreek@gmail.com
Let’s assume it was listed under his channel as his business email, and linked to his Roblox account.
If I go to Roblox Support, I can enter in his email, and since we all know his username, enter in the username, as shown below…
You might be thinking, what is the problem with this?
If you send a threatening message, or anything that violates Roblox’s Terms of Service, your account gets banned. So you could get anybody banned.
Expected behavior
Expected Outcome:
Some sort of confirmation email sent from Roblox to confirm it was actually ME who created the ticket.
Below is some concept art of what it could look like…
Yeah, this makes way too much sense — it would not only prevent abuse but also confirm that the real owner of the email is actually the one reaching out. It would instantly block a whole class of exploits. The fact that this kind of basic verification doesn’t exist is honestly crazy.
There’s even a YouTuber who had the FBI show up at his house because of this situation. People use the support system to send threatening messages to Roblox using that person’s email, and things can escalate to a really serious level:
Also, I feel like maybe they don’t want to enforce this. Like, if someone is currently logged into their account and using the email that’s already verified and connected to it, maybe Roblox thinks there’s no need to verify if it’s actually them when they contact support. But for literally every other imaginable scenario, this kind of verification seems absolutely necessary.
I noticed that some agents do realize that the ticket is unusual and ask you to confirm that you wrote it.
However some agents do take it as 100% real.
Here’s an example of an agent that noticed.
I am noticing the same issue. I checked on 5/14/2025 (as I’m writing this), and the security loop hole is still there, the YouTuber who informed most of us about this situation only posted the video three days ago (I won’t name the YouTuber to avoid potential issues with directing users off-platform). Still, I believe this should be prioritized.
A simple two-factor authentication system (email verification code or backup code) could largely solve this problem. And if Roblox already has 2FA available in user settings, why hasn’t it been implemented here? If the concern is about making report forms accessible to kids—well, even kids know how to ask their parents to check a verification code in their email. Not to mention, every Roblox account already has an email linked.
In the unlikely event that Roblox sees this, implementing a safe environment for users will encourage consumers to spend money in-game. No one wants to buy gamepasses if their accounts can be disabled with zero effort. Patching this problem won’t take much effort on your part and will increase both your reputation and revenue. Improving the security of the report and support systems is the right step — we all agree.
Not really a vulnerability its more of just abusing a system that has not been thought of too clearly in terms of verifying that the submitter of the ticket is actually who they say they are.
This can easily be fixed by them just adding a SIMPLE check:
Create ticket → sent smtp to email to verify that they are the submitter via url → create ticket if confirmed otherwise once expired after 10 minutes don’t create the ticket.
Also this would require some kind of osint gathering or data retrieval to even get close to doing this as this requires your email.
I still wouldn’t call it a CVE. It is not that bad to be considered that.
This is just human error and also basic info gathering/osint gathering off the target which is then used against them by relying on the probability that the human on the other side of the ticket (aka the support tech) doesn’t just blindly think that the unusual activity from said email and ticket is you.
As shown before it can happen that some support techs actually realise this might not be you and then contacts you to confirm which then defeats the whole “CVE”.
Again not a CVE its just abusing the human factor that we are all animals and we all think differently.