Description:
I have a gamepad plugged in my computer and whenever I press the Escape key button or the ButtonStart when the PromptPurchase gui is open, it automatically triggers the buy now button and buys the product.
This only happens when the gamepad is plugged in.
I have tried this at two places to confirm this bug and I have tried it for both gamepasses and developer products which indeed it happens for both.
Reproduction steps:
Plug a gamepad controller
Go in a place and prompt a product purchase gui
Press the Esc key button on the keyboard or Start button (ButtonStart) on gamepad
Hardware:
I am currently on a PC (Windows 10) and using a gamepad similar to an xbox controller (probably not original).
I have edited the post as I have also noticed that the start button on the gamepad (Enum.KeyCode.ButtonStart) triggers Buy Now button too as demonstrated in the gif.
A simple situation that I could think of where it can be abused is
1.) Ask a rich fella who has a controller to test a game’s controller input for you because “I dont have a controller.”
2.) Constantly prompt the rich fella with a gamepass prompt
3.) He would get annoyed at the prompt and would either do the following
A.) Tab out to message you about the prompt
B.) Exit the game. Which has a high chance of involving pressing esc
4.) If step 3 doesn’t work, just send the rich fella a DM on a chat app that he has notfications on for. He’d be sure to tab out to check what you send.
It wouldn’t be to complex to find someone who has robux and a controller. A person could easily asking around a Discord server like Rolimons if someone could test. Social engineering someone into getting the number of Robux then have isn’t hard especially if they trade. “Hey man, I want to give you my [Blank] for your [Blank] + Robux. How much Robux you got?”
Although I don’t think many players have their gamepad plugged to their PC at all times, you are right. It is easily abuse-able as indicated by your public step by step guide on how to wrongly take advantage of this bug. However, you need to understand that it was my duty to report this bug in the most effective way which is right here through this thread.
Yeah most player’s don’t have a gamepad, that’s why you would just go to a Discord server and ask around for someone with one.
I understand that this is how you reported the bug, I put the “I wouldn’t have this thread public, this is easily abuse-able” in hopes that maybe someone would unlist the thread so that no one would find out about it and attempt to abuse it.
It is fine to report these things as public bug reports. The risk of this being used maliciously is low due to the somewhat specific repro steps. Thanks for thinking along about security though!
