About 2 weeks ago when importing my bundle to test & refine before uploading it to the marketplace, I stumbled upon a bug/exploit with Avatar Setup’s “Auto Set-up” that allows anyone to basically steal a bundle someone else has made (Or, probably even special time-limited bundles like Headless Horseman)
This is a bundle from the Rig Builder in Studio. “Rthro Masculine”. Left is the Rig spawned by Rig Builder, Right is the one made by Auto Set-up.
This is a bundle made by @vhaega, as you can see I am able to upload it to the marketplace.
The reproduction steps are simple, however I shared them in the private content for staff to see as I believe publicizing these steps will lead to people rapidly uploading stolen bundles.
This issue is because the meshes are uploaded to your account during the setup process, which allows you to basically upload them. And since auto set-up works very well the user doesn’t have to do anything except upload the bundle to UGC.
Expected behavior
When using auto set-up if the meshes of the bundle are not in the user’s inventory they should not be able to use the auto set-up feature.
Importing items such as accessories and bundles from the marketplace to the studio is a known and legitimate feature that can be achieved with a single line of code using a service provided by Roblox.
Every day, many people steal assets from other creators and re-upload them as their own on the marketplace. This is a significant issue for the marketplace since it was opened for all creators a year ago.
Its more of a feature, I know that some devs like taking stuff off the catalog to create their own characters for their games. So restricting users from doing that just because of a few bad apples kinda sucks.
Only thing we can count on is that moderation detects these reuploads and takes them down.
You can already do that! The bundles made by other players can be used in games by developers, the auto set-up feature is just a one-click setup if you’ve made a bundle but you don’t want to go through the rigging, weight painting and caging process. I don’t see why you’d use this feature to make a game if you’re hypothetically going to use a pre-made bundle from the marketplace as it’s already set up for you to use.
