Well here’s the profile (quite easy to find honestly), and what makes you think it’s a “malicious” game that steals someone’s data?
This account hasn’t been active for years but it’s weird…
Or if this account is active sometimes I’m wrong because it wasn’t updated the last time it was online
This could be them, they probably hid the game
On discord, I was talking with Catalog Avatar Creator members they said “block it” and “do not join”
Let’s just say they made this game to steal accounts and after you get the notification you don’t know who sent it and they want you to join the game and it is not even possible for a rich player to gift a valuable item to ANOTHER player.
Apologies for not replying sooner. The APIs which are being restricted on January 15th do not affect RoPro for the most part, however one which does affect us is the “POST v1/trades/{tradeId}/decline” API. The RoPro extension uses the trade decline API for a number of features which help make trading easier for our users:
- Decline or cancel trade from within trade notifications
- Automatically cancel missent outbound trades
- Decline low value inbound trades
I think disabling the other trade related APIs is a great decision, as these have historically only been used for malicious purposes. However, the decline trade API is limited in scope regarding the damage it can do within a malicious extension, and it provides significant value for our users everyday to make trading on Roblox more fun.
I ask for the trade decline API to remain accessible to extensions. The upcoming RoPro update, v2.0, adds OAuth integration via Open Cloud which will allow authentication for this API and others via OAuth2 tokens, so this will not be a concern once we finally get the update out (assuming this API is added to the list of supported Open Cloud APIs).
4 Likes
The act of joining a game cannot give someone your password or any other information to break into an account. Pls don’t scare people like this.
Either you aren’t telling us something or you got compromised through other means.
3 Likes
Do you want to see the game I was joining?
No, I’m okay. I’d rather not have people get their accounts compromised. (If what you say is true)
Thanks you! We reviewed it internally and decided that we will refrain from enforcing Account Session Protection for now until it’s supported on OpenCloud.
Thanks again for the prompt feedback!
6 Likes
W update ngl, expected this for awhile. Same goes for other platforms out there.
so… is this getting enabled td?
I’m really glad that this is finally being worked on but as of today (01-23-2024) it seems like I can still get into my alt account using the cookie. Yes i’m using two different computers and I’ve even gotten my friend to get into the account without I’m ever being logged onto his pc. Is this still in the works or should it be working right now?
It is still not enabled for some reason
1 Like
Hi Developers! In the spirit of transparency, we want to provide you with an update on our timeline for enforcing Account Session Protection on the Roblox domains listed below. We now expect to roll out by the end of June 2024 at the latest.
As our team at Roblox got to work on this enforcement, we came across some technical questions that required more in-depth discussions. We always work to put out the best solutions in place, and this one is taking a little bit longer than we expected.
We appreciate your patience and will provide you with further updates over the coming months!
8 Likes
Is there any reason why it hasn’t been enforced as of yet?
Yeah, that seems like a big problem. I’ve seen daily people on Discord and other social media platforms trying to beam people using pish links; Roblox needs to immediately roll that out, or else there will be a bunch of problems with beaming sites.
Are there any news about a new potential relase date, as mentioned before, the demand is very high, due to increasing amounts of people getting beamed.
2 Likes
I’ve been trying to use my ROBLOSECURITY for my Python bot. However, I cannot use it. It’ll just change my ROBLOSECURITY as soon as I try to use it on an external server. I have Account Session Protection turned off for the account that I’m trying to use my program on.
are you getting the x-csrf token?
Yes, I am. The code works perfectly fine but the ROBLOSECURITY token resets when it’s put on an external host like SparkedHost.
the ip that its using could be out of your region, causing the cookie to invalidate
You can add a passkey in your Settings. Passkey has the same technology under the hood as security keys. And, you can use passkeys to login instead of password.