[Exploit] Able to fake Roblox Premium (Player.MembershipType) through Fiddler on join

Looks like you are able to fake roblox premium (using the Player.MembershipType API on the SERVER) through using fiddler, modifying the body of the game join http request.

Got some reports of this. Any safe (not affected by this exploit) ways of checking membership status? I’m going to disable the premium benefits in Robeats for the time being.

(removed v3rm forum link and youtube vid)

14 Likes

Maybe you can try checking the membership of the player at the moment the player joins.

Yeah I agree. That may be the only way to fix it until it’s fixed.

Taking a guess, but since this modifying http requests on client join that will likely not fix it.

1 Like

True, we just need to hope they fix it soon then.

I think the only way to do this would be a player added event in the server that returns the membership of the player.

The only other way I can think of is doing your own membership checking.

Just request some API on the server to fetch their membership status using rprxy or something similar.

This was already reported, several times.

2 Likes

sounds like a pain, but any documentation on what API to hit to check this?

I don’t know off the top of my head, sorry. Also you might want to use your own servers to do this, not sure if rprxy will be able to handle the barrage of requests from robeats.

1 Like

Try to use
https://premiumfeatures.roblox.com/docs

There’s an API endpoint made for validating premium membership:
https://premiumfeatures.roblox.com/v1/users/21735007/validate-membership
(Replace 21735007 with user id)

4 Likes

All the web APIs are now on a lovely consolidated page:
https://api.roblox.com/docs?useConsolidatedPage=true

It’s a real shame if the only way around this is to set up your own proxy or trust someone else’s proxy and have to do external calls instead of being able to use the API Roblox created specifically to rely on for Premium features. Hopefully just a short term solution.

1 Like

doing some reading and it looks like this should have been fixed?

@ConvexHero I see the “Certain properties of the player that were spoofable are no longer spoofable.” is still pending. Does that address this issue, and when will it be turned on?

2 Likes

This sucks, but don’t think anyone will be stupid enough to use this as it could be stealing your personal info. Well unless your a young kid.

Hey so:
Reading up about it: Here
Says that it’s not replicated over client boundaries.

There for the RoBeats game must check in the client?

This is a HTTP level exploit, it has nothing to do with property replication inside the game. Also, don’t rely on the devhub to correctly reflect actual behaviour. A clientside check would be much easier to bypass than doing this.

2 Likes

This has been reported already and been fixed.

Original report: Clients Able to Fake AccountAge and MembershipType on the Server
Release notes: Release Notes for 440


Please do not post reproduction steps for exploits publicly.

3 Likes

Just an FYI to anyone reading: this is NOT yet fixed (and still exploitable).

And also: Hitting the web API for checking membership ( https://premiumfeatures.roblox.com/v1/users/21735007/validate-membership ) requires dealing with a roblox cookie verification and is heavily throttled (seemed like around 15 requests every 10 seconds). Very unfortunate!

Just out of my own curiosity, does this affect Premium Payouts? because if so then this really needs fixed ASAP.