Groups can use homoglyph Unicode characters to copy group names

Using Unicode to copy group names

Recently, many games have been impersonating popular users on Roblox to trick users into thinking they’re actually visiting a legitimate game. They do this by using Unicode homoglyphs to make the fraudulent group names look exactly like what they’re copying.

These characters are almost indistinguishable from the original group/user on the game page on the website, mobile app and desktop app.

This wouldn’t be as much of a problem with display names, as players know they can be copied, but as a group name is unique, victims are tricked into thinking the group is legitimate. Some of the groups using this method have hundreds of thousands of members.

Malicious Use

One example of a victim is haz3mn, the creator of Pls Donate:

Group	Name	Unicode used	Locked
https://www.roblox.com/groups/34256955/haz3mn#!/about	haz3mnᅠᅠ	HANGUL JUNGSEONG FILLER at end of name
https://www.roblox.com/groups/34256960/Haz3m#!/about	Haz3mᅠᅠ	HANGUL JUNGSEONG FILLER at end of name
https://www.roblox.com/groups/33143812/az3mn#!/about	һaz3mn	CYRILLIC SMALL LETTER SHHA replacing the H
https://www.roblox.com/groups/33143771/azem#!/about	һazem	CYRILLIC SMALL LETTER SHHA replacing the H
https://www.roblox.com/groups/33966341/h-zemn#!/about	hаzemn	CYRILLIC SMALL LETTER A replacing A
https://www.roblox.com/groups/33086123/h-z3m#!/about	hαz3m	GREEK SMALL LETTER ALPHA replacing a
https://www.roblox.com/groups/33885496/h-z3mn#!/about	häz3mn	DIAERESIS added to the a character

Also note that all of these groups are hosting “Dice” games that pretend to give away Robux.

Other examples of Unicode use

Not sure if all of these groups are intended to be used maliciously, but they are still impersonating.

• Scriptbloxiаn Studios - Roblox
• Uplift Gаmes - Roblox
• Rօblοx - Roblox
• Dа Hооd Еntеrtаinmеnt - Roblox
• Bаdimо - Roblox
• haz3мn - Roblox

Steps to replicate:

1. Go to the Groups page.
2. Find a Unicode character that isn’t moderated, and add it after or within the name.
3. Create the group.

I have been able to replicate this easily with Cyrillic characters, with the group names passing moderation and duplicate checks.
An example group I created would be Dress To Impress Grоup - Roblox. I simply replaced the o in Group with a CYRILLIC SMALL LETTER O.

How would this be fixed?

This is a tricky problem to fix, as hundreds of groups legitimately use Cyrillic characters and other Unicode to make their name appear “pretty”. One possible solutions is checking all new generated groups for homoglyphs, or “confusables”, using a Unicode list, but I understand that adding a feature to the codebase is easier said than done.

This isn’t really a bug, it’s intended behavior to allow unicode characters in group names - should probably be a feature request.

I believe that the intended behavior of the duplicate group checks should not allow visibly identical names. this post has also been through the approval process.

The intended behaviour isn’t to copy group names. Unicode characters should continue to be supported for localised text and groups that do copy others to scam should simply be moderated.

that is why the verification badge was made

aand the bots? Did you forget that it can be botted??

no bot followers doesnot count

They saldy do, check any dev out with the checkmark most of them gonna have real looking accounts that are bots or even the normal bots.

i agree.

i also agree.

what i am suggesting is obviously not removal of support for unicode characters, that is ridiculous and would not be backwards compatible.

i am simply reporting that the intended behavior for the group name duplicate checks should be to include checking for confusables and stripping unwanted whitespace while checking.

You making a bug report is basically saying that it should be removed because people are copying group names. What you should do is again, report the groups and make a feature request for improved moderation of group names.

not going to keep dragging this, final message, but the intended behavior is not this.

the intended behavior of the check for group name duplicates is to find all matching group names, which should include unicode confusables.

this is reporting that the group name duplicate check is not working as intended.