Guests still exist

Oh boy I wonder how many security issues this leaves open

I know at one point for some half-finished game I gave negative UserId’s admin power so I could test stuff in studio. Yikes :grimacing:

7 Likes

Here’s a video repro (timestamped to 5:17)

3 Likes

I always do things like checking if the UserId is greater than 0 before saving data and definitely before giving admin commands.

1 Like

Going to bump this as someone pointed out a batch script that can let you join any game with any guess id. You can just create a shortcut of Roblox with this:

%localappdata%\Roblox\Versions\version-9e01866eaf04431b\RobloxPlayerBeta.exe --play -j https://assetgame.roblox.com/game/PlaceLauncher.ashx?request=RequestGame&placeId=1416690850&userId=-1 -a https://www.roblox.com/Login/Negotiate.ashx -t Guest%3A-1337

In a nutshell:

  • Looks for game exe
  • Attempts to play and join with the game id (currently set to a small test place)
  • Gives the authentication url to join as userid=-1
  • Gets authentication url for Guest
19 Likes

Unsure if this specific exploit has been patched, but I didn’t want to create another report. As of now, guests still are joining games and it seems to be breaking some games since most games no longer offer guest support since guests were supposed to have been removed months ago.

This exploit needs to be fixed urgently before it continues to spread and do more damage.

1 Like

This is not a bug - it is still possible for players on some old clients to join games as guests. I would advise leaving around code which handles guests until that original thread is updated to say that guests have been entirely removed.

10 Likes

Will we get moderated, as previously occurred, if we ban guests?
There seems to be a way to exploit certain admin command scripts by use of a Guest account.

6 Likes

I know for a fact Phantom Forces does it.

I can imagine that there’s a lot of stuff that relies on there being guests in the internals of ROBLOX, so it wasn’t as easy to remove as they thought.

3 Likes

This is a reminder that new clients can still get guests to run with the current client. Here is a picture of me as Guest 1337 getting the winning kill in Brickbattle Blast.

4 Likes

I feel like Roblox should bring back Guests, mainly so new players aren’t forced to make an account they might not come back to if they don’t find Roblox to be enjoyable.

I feel a solution that could work out for everyone, is to have it so you can play as a guest up to 90 days after first coming onto the website, after that time you’re forced to make an account, otherwise you can’t play on Roblox anymore.

2 Likes

That solution doesn’t help anybody. Developers hate guests because it means exploiters can join games faster, we have to write special edge cases for guests everywhere so that data saving isn’t wasted on them, they’re useless in terms of data analysis, etc.

5 Likes

Looks like the back end for getting guest session cookies was either moved or removed. “https://www.roblox.com/Login/Negotiate.ashx” is now returning an error message, and I can’t enter games now with what I posted before.

4 Likes

Hopefully, guests have now been fully removed. Now we just need confirmation from a staff member.

They’re not, I’ve seen several still in games. It’s been 10 months.

2 Likes

I don’t know how guests are given IDs. However, if it’s sequential, I logged in ~30m ago at ~11PM PST and my ID was Guest ~3000. If so, there’s a lot of work to do.

guests still exist for me and it doesn’t even require me to do any glitches, all I have to do is open safari and play a game.
i literally don’t even have to do anything else.

8 Likes

Does this still happen when you clear your cache for Roblox on Safari? Curious if the JavaScript is caching.

ill check in a couple of hours, I’m not exactly how to clear the cache though so could you tell me so I can figure out when I get back?

1 Like

I don’t use Safari, so this may or may not work.

1 Like

that seems to have done the trick

1 Like