If you're using a 3rd party web hook for discord, stop!

So let me explain: Roblox doesn’t allow you to send messages to Discord, so people use someone’s website with a secret backdoor.

My game got a backdoor attack because I used the Discord web hook hyra.io not the real website it shows up as a link though. It’s not resolved, but it could’ve been a much bigger problem if I didn’t get onto it as quickly.

I actually found out that they were insecure even before the backdoor showed up, and it’s because they didn’t explain that they’re secure. On their website, it says it’s fast, efficient, and easy to use, although there’s nothing saying they’re secure. That got an eye brow raise. But after reading through their website over and over I realized I can check something they use called Argo Tunnel. I looked it up, and went onto their website. I noticed it was secure with the locked icon, but then I saw no spaces after periods. I then realized, I have fallen into a trap.

My game went into the darkest time it has ever been in, having an average of 600-800 players then going down to 200 after a shutdown, a game breaking glitch, and a backdoor. It’s going back up now, but I got lucky.

DO THIS INSTEAD

Make your own website web hook! It’s quite easy I guess, although I’ve never made one. There’s tutorials for it though.

3 Likes

if you need a website you could use rbx domains (its totaly free btw)

1 Like

Sending a request by HttpService doesn’t allow a backdoor into your game. Sending a PostAsync doesn’t give the website access to your game or environment.

hyra.io is not a backdoor and is a very useful tool to use webhooking.

There’s something else in your game creating the backdoor. HttpService:PostAsync() will never create a backdoor

6 Likes

It just started after I added the :PostAsync though

Here is an easy way to create a 3rd party website which handles the webhook:

dependancies:

npm i express
npm i node-fetch@2.6.1

index.js

const fetch = require("node-fetch")
const expressApp = require("express")()
expressApp.post("/postWebhook/", (req, res) => {
   const webhookId = req.headers.webhookId
   const message = req.params.message
   if (webhookId && message){
      const constructedWebhookId = `https://discord.com/api/webhooks/${webhookId}/`
      const response = fetch(constructedWebhookId, {
      method: "POST",
      headers: {
         "Content-Type": "application/json",
      },
      body : JSON.Stringify(message)
      })
      .then(() => {res.send("success")}
      .catch((err) => {
         console.log("err: " + err)
         res.send("err: " + err
      })
   } else {
      res.send("empty webhookid or message")
   }
})
expressApp.listen(8080, () => {
   console.log("ready")
})

how the api works:
send a request like this:

httpService:RequestAsync(
   {
      Url = "ursite.com/postWebhook/",
      Method = "POST",
      Headers = {
         ["Content-Type"] = "application/json",
         webhookId = "urwebhookid"
      },
      Params = {
         Content = "WHATEVERUWANT!!"
      }
)

codes are untested but feel free to edit/use it.

Be careful with the ratelimit though, if you spam your api your server will be blacklisted and you will either have to find another one or buy another one.

Doesn’t mean its the root cause, check your plugins and seach “script” in the explorer and delete any suspicious looking scripts.

Use
Ro-Defender™ Plugin v8.7 - Roblox

It searchs your games for any backdoors and secures your place.

3 Likes

I did check, and one did have an HTTP request. It was the fbx importer, which should be secure, but ya never know

Keep in mind that you may want to make the proxy rotating if there is a large amount of requests being forwarded to discord at the point of reaching the rate limit

Or you can use a secured third party alternative like FitProxy :wink:

2 Likes

The reason you shouldn’t be using a third-party proxy is because you don’t know they’re not storing your credentials (or if you’re in Studio, your IP address).

You wouldn’t give a stranger the keys to your house, and that’s what you’re doing by using a third party proxy service like this.

Requests through HttpService will not create a backdoor into your game—You’ve most likely inserted a malicious plugin or model.

Using third party proxies is always at your own risk. If you can’t trust the proxy you’re using, host your own. They’re relatively straightforward to setup.

2 Likes

You can add some api key in some env and just make sure you never hit it and it slso counters if someone finds your URL.