When users sell their own game passes in our experience Clip It they can use regional pricing to completely bypass all of our exploit checks. This allows for malicious users to completely bypass any checks against pricing changes for donation systems.
We check against https://apis.roblox.com/game-passes/v1/game-passes/{asset-id}/product-info to confirm users have not updated or changed the pricing of a game pass when it is purchased.
The current workaround is using https://apis.roblox.com/game-passes/v1/game-passes/{asset-id}/details and checking if it has a āRegionalPricingā flag in the āenabledFeaturesā array, and ignoring gamepasses that have this attribute.
Expected behavior
Roblox APIs should return the accurate value, or allow for developers to predictably determine what users actually pay for game passes.
Not sure why this is the one being addressed. I kindly request you go through older bug reports that may have been filed overnight rather than just picking the ones you see at the top of the category to forward to engineers.
A huge thank you to the engineer(s) who worked so quickly to resolve this. Around 9PM EST, the patch was rolled out and we stopped receiving reports of this exploit being abused.
The patch prevents these gamepasses from being purchased in any experience other than the one they are directly associated with.
This issue has been fixed!
