As a Roblox developer, it is currently too hard to ignore the fact that there is an endpoint that allows users to get compromised by a “simple” phishing attack. The endpoint in question is Authentication Api, and is outright dangerous, and prone to attacks.
If you have ever seen something like this, you will know what I am talking about:
If you are unfamiliar with this, let me explain to you what this does:
A person asks you to go to any roblox.com domain and paste something in the address field
This will fetch code from another website and execute it. The code fetches an “authentication ticket”
from the API mentioned, which can later be used to retrieve a Roblox account cookie (in this case, yours).
The authentication ticket is sent back to their servers, where they redeem it, and take over your account.
Once you run that code, your account is gone in less than a second.
Roblox has already done something about phishing issues: they have removed all programmatic access to your .ROBLOSECURITY cookie, by setting the HttpOnly flag to true:
However, that becomes almost pointless when there is an endpoint that allows you to get instant access to your account regardless.
What can Roblox do?
There are a couple of things Roblox can do:
Add a similar endpoint, but with granular access
I don’t know why they need an endpoint like this, but they should restrict the ability for malicious purposes. For example: If the Roblox game launcher needs an account token, it should only have the permissions necessary to play the game.
Think of Discord’s OAuth2 flow, if you are going to add a music bot, it won’t need admin access to your entire server, but only access to join and play music. Anything else would impose a security risk.
Remove the endpoint in its entirety, or ensure the requests are not made by 3rd parties
For the same reason as enabling the HttpOnly flag, they should remove / alter the endpoint to know it’s by Roblox, and not someone else:
Given how little information there is, it’s hard to know if this is a real implementation.
The same as OP suggests should be done to .RBXID and .RBXIDCHECK.
(It seems like they don’t seem to do anything)
Roblox should implent a check for IPs when validating session auth cookies.
The fact that I am able to just put my session cookie into the Tor browser and Roblox not bother to check if the IP is from a country I’d be expected to use or from an unexpected IP such as one seen in VPNs and Tor.
I understand the UX interrupt from it being it being just IPs, but I think introducing a range of factors and checksum will go a long way. Maybe add it to a list of known approved IPs for when people on LTE? Validate against MAC addresses or IMEI? I’m aware they can be faked or otherwise not required, but just trying to expand how they’re validated and using reasonable steps.
I think common sense is the best solution here. Don’t post code into your browser, console, etc and you’ll maintain your account.
Granular access would never happen unless Roblox implemented OAuth & an actual interface for bots. Otherwise, there’s no point to limit the client’s access to certain functionality especially in terms of site experience. The lack of distinction between a normal user & a bot is why this would never work.
If they remove or alter the endpoint, they lose functionality that the endpoint brought. Altering it to provide the same functionality it already has doesn’t make much sense.
The endpoint isn’t actually a security flaw. It’s more-so the lack of common sense from other people being falsified into doing stuff a random person wants for gain. i.e lifetime premium, limited premium, x-amount of Robux, etc.
At a certain point, it almost becomes redundant to abstract and prevent obvious signs of phishing when the quite frankly, the user is at fault.
