Exploiters can change what trade the accept button accepts

My friend got scammed badly because of an exploit today. She pressed accept on one trade, but it instead accepted a different trade from a different account. No one else accessed her account during the process and, at first, it seemed like the trade popped up and got auto accepted.

The trade she accepted:

image (2)693×812 49.4 KB

The trade that went through:

tradescan671×759 61.5 KB

The proof that this was an exploit and not just a mistake on her end is because she knows someone who knows who the scammer is and, apparently, she was being targeted by them.

cyan is victim, red is scammer, white is person who knows scammer

scam11190×776 34.6 KB

scam3725×443 36.6 KB

scam4561×386 10.8 KB

I have no details on how the exploit was performed.

Also, this isn’t a substitute for reporting the user, as she already submitted a ticket for that.

Expected behavior

Seeing a trade and pressing accept should only accept that trade. There shouldn’t be any possibility that it could instead accept a different one.

This might be a critical report

Given how old the trade system is, it doesn’t surprise me this is possible. Could possibly be sending the user a view of what it looks like verse what it actually looks like in the ID system, which is a crazy concept to think about in sending requests to Roblox servers.

She sees for example Trade Number 1 in pending, but actually accepts Trade Number 2. That’s insane

People only get 1 rollback per account life, so the fact this exploit can take advantage of it without it being the users fault in account security, is endangering if Roblox doesn’t treat the situation well.

If you have substantial detail here you can participate in Roblox’s security bug bounty program over at HackerOne to address this with the security team ASAP. Be sure to follow the requirements.

I’m happy to collaborate on this if you require any help.

I don’t have much more info than what I’ve posted, unfortunately.

I’ll have a look into it and attempt to reproduce within the requirements, doubt ROBLOX will do much without you being able to give any steps anyhow.

I have some more info. She apparently went on https://trades.roblox.com//docs and did something about an item config there and sending a screenshot, that doesn’t appear to have anything that could be used to access her account, before accepting?

image1449×635 20.1 KB

From my POV the guy would need the token in order to send POST requests from the individuals account. Did they press on anything outside of ROBLOX? That could be it (token logged), and from there the suspect could control the trade.

They did not go offsite besides talking on discord, but they did switch browsers (from chrome to firefox).

Did they open an image by any chance on Discord? Seen a vulnerability there previously.

Possibly? She wasn’t on discord on her browser, though, and didn’t open an image in it.

This API works with authentication token (probably JWT?), which means the API was used with an authentication bearer that probably belongs to the account of your friend. This is possible by getting the authentication token, probably by social engineering.

Now if your friend executed the request from her browser, it’s as if she accepted the request on the website.

Hi,

Unfortunately, this is a known vector of attack. At the top of the docs page is the following warning:

Keep your account safe! Do not send any information from here to anyone or paste any text here.

The docs pages are hosted under the roblox.com domain so the authentication cookie is inherited from the main site. Swagger supports request interceptors which auto-generate a CSRF token for the authenticated user before sending POST requests so that you can seamlessly test API endpoints.

i dont understand how someone can fake a trade from just a user and item id though