Critical Vulnerability That can be Exploited to get people's accounts Terminated

Bug Reports Roblox Application and Website Bugs
,
#1

Visual Aids:

image
image979×356 26.9 KB

Direct Links:

Brief Description:
Using the support system for Roblox, allows you to enter anybody’s email. Let’s use a YouTuber for example, let’s say you really don’t like them. If they have their business email publicly available, and is linked on their YouTube channel, and is linked to their Roblox account, ANYBODY could use their email, make a ticket for Roblox support sending a threat, and get them banned.

Here’s an example:
Let’s say this is KreekCraft’s email:
iamkreek@gmail.com
Let’s assume it was listed under his channel as his business email, and linked to his Roblox account.
If I go to Roblox Support, I can enter in his email, and since we all know his username, enter in the username, as shown below…

image
image1012×525 37.2 KB

You might be thinking, what is the problem with this?
If you send a threatening message, or anything that violates Roblox’s Terms of Service, your account gets banned. So you could get anybody banned.

Expected behavior

Expected Outcome:

Some sort of confirmation email sent from Roblox to confirm it was actually ME who created the ticket.
Below is some concept art of what it could look like…

image
image1572×1013 74.4 KB

Actual Outcome:

A ticket gets created, and people can put threatening messages in the support ticket details, or anything that violates ToS to get accounts banned.

An issue that made me create this post is in the following video where someone did EXACTLY what was listed above.

10 Likes
#2

Yeah, this makes way too much sense — it would not only prevent abuse but also confirm that the real owner of the email is actually the one reaching out. It would instantly block a whole class of exploits. The fact that this kind of basic verification doesn’t exist is honestly crazy.

There’s even a YouTuber who had the FBI show up at his house because of this situation. People use the support system to send threatening messages to Roblox using that person’s email, and things can escalate to a really serious level:

Also, I feel like maybe they don’t want to enforce this. Like, if someone is currently logged into their account and using the email that’s already verified and connected to it, maybe Roblox thinks there’s no need to verify if it’s actually them when they contact support. But for literally every other imaginable scenario, this kind of verification seems absolutely necessary.

6 Likes
#3

I noticed that some agents do realize that the ticket is unusual and ask you to confirm that you wrote it.
However some agents do take it as 100% real.
Here’s an example of an agent that noticed.

image
image794×580 30.4 KB

7 Likes
#4

That should be something that they do by default. I honestly don’t know why they don’t do it.

5 Likes
#5

Kreekcraft said that he was talking to Roblox about this issue a few days ago, so I assume they’ve been made aware.

2 Likes
#6

I actually also know the FBI youtuber story you mentioned and it’s not the only one I think

1 Like