I’d like to start off by saying never go to any suspicious sites or sketchy links. And certainly never ever ever go into a web console to give a user a file.
I was on Roblox browsing my friend request, noticed an account with a fairly high follower account.
I accepted the friend request because why not! I was then greeted with what seemed to be a very quick copy paste message (I do not have any screenshots because they unfriended me.) something along the lines of “Hi i noticed your avatar and would love to make art of it!” Blah blah blah.
SO as cool as an offer that sounds i said why not! Cause who wouldn’t like to see free art of their avatar. The user then said they needed like a proper color pallet? I’m not sure i don’t really get it but its a scam regardless. They then tell you to go to a link on their profile redirecting you to youtube. They then tell you to watch a tutorial on how to send this specific file which is a big no no! Thats when the red alerts popped into my head. Big warning flags. (Example this is what i got, but you might get something else.)
After i mentioned my suspicion to the user, something like “I’m not too comfortable visiting websites im unfamiliar with” they then unfriended me at the speed of light. Biggest red flag in existence.
DO not go to any of these, do not send files. Now you may be saying well yea don’t send files its quite obvious to be cautious. I’m making this post for people who might not spot these as well. I just wanna shed some light onto this (Not sure if this has already been talked about.) If you have any friends please just warn them not to send any files from chrome, or any web console like inspect element.
I’d also like to add on they could use different methods like discord for example, this is just what i got in my case. I filed a report on roblox against this user and hopefully action will be taken.
For the scam method in question, it essentially navigates you to the Network tab in Chrome Developer Tools (which is a major red flag if you are not familiar with it) and then have you copy a Windows Powershell command string of one of the network requests (see below) to send to the scam site.
The reason the DevTools (short for Chrome Developer Tools, aka. Inspect Element) Network tab is a red flag is because the intended purpose of copying a request from the Network tab is to let you be able to simulate that exact network request anywhere - which means whatever you copy is a carbon copy of the request roblox.com made, including HTTP request headers and cookies. It’s common knowledge that cookies hold the infamous .ROBLOSECURITY cookie, which stores the session of your current logged-in user. If this session is stolen, it can easily be dropped in to gain control of an account.
The Powershell command that is copied from the DevTools
Disclaimer: This was done on an alternate account and I heavily advise against copying anything from the DevTools and/or sending the contents to anyone unless you understand the implications. I’ve blurred any sensitive information and values I do not recognize in this particular screenshot.
As you can see, the .ROBLOSECURITY cookie is included (as expected) and all that sketchy website has to do is some clever string manipulation to extract the cookie value and (most likely) send it to a Discord server via webhook where the creator of this scam can exploit these stolen cookies.
Their claim to need some sort of input from you to obtain your avatar’s look is the very first red flag. All they need is your UserId which is as simple as finding your Roblox profile. The player’s UserId is publicly available within the url of their profile page (the numbers after “users/”). After obtaining this number, simply paste a small amount of code within the command bar and voila, here’s your current Roblox avatar in Studio:
Here's the code
local rig = workspace.Rig
local newHumanoidDescription = game:GetService("Players"):GetHumanoidDescriptionFromUserId(id)
rig.Humanoid:ApplyDescription(newHumanoidDescription)
I’ve used this method from time to time to test things with wildy different avatars. For example, here’s an avatar I snagged from someone to test invisible heads, hats, and legs that don’t fully extend to the ground:
[Side Note]
You can also piece together an avatar by loading the individual asset id’s. Here are your new legs in Studio:
