Ackchyually it really depends on how this malicious extension works I’ve took a look at a malicious extension recently and It would not send your cookie just make requests on your behalf while you have it installed. Most extensions probably do this anyways considering cookies are region based now. If it asks you to bookmark a link then they don’t have access to most of your cookies (including the ROBLOSECURITY cookie) meaning this will most likely not patch this kind of attacks.
those types of attacks can not be prevented the only way is to require password or 2fa to do those actions which would just make a bad user experience
I totally agree but Roblox should probably add some kind of user security option like a pin for each purchase or 2fa. Afaik a 2fa for purchases is currently implemented but doesn’t seem to trigger for less than 100K Robux being spend.
Great addition for security but Roblox players are being scammed again
For example, you received a game invitation from someone and they want you to join.
When you click “Join” you will join another game and they will get your roblox account data
On 12/21/2023 I received a notification and I don’t know who sent this to me but it says “koob85 gifted you Violet Valkyrie in the Catalog Avatar Creator” and I click on the join button, it was joining another game, not the catalog. I knew my account data was compromised but I already changed my PIN and Password and contacted Roblox Support. It is also not possible for someone to gift a valuable item to a player. Also, when I pressed the Join button, it was looking for a available server, so I don’t fully joined. But I still changed my PIN and password
I can show you the game I was joining if you want.
Let’s just say Roblox game invites can be malicious.
3 Likes
Thank You for the warning. Many will not be the wiser.
1 Like
No problem, if you receive notification like this, please don’t join and block it. 
1 Like
I highly doubt it gets your information, rather, it probably does what that infamous crossroads game did
It wasn’t crossroads game but I couldn’t find the person who made the malicious game
But there were a lot of numbers and a few words in the name of the game and I saw a skull in the background.
Owner of the game is: donrules (I mean I couldn’t find their profile or group. This is strange.)
Well here’s the profile (quite easy to find honestly), and what makes you think it’s a “malicious” game that steals someone’s data?
This account hasn’t been active for years but it’s weird…
Or if this account is active sometimes I’m wrong because it wasn’t updated the last time it was online
This could be them, they probably hid the game
On discord, I was talking with Catalog Avatar Creator members they said “block it” and “do not join”
Let’s just say they made this game to steal accounts and after you get the notification you don’t know who sent it and they want you to join the game and it is not even possible for a rich player to gift a valuable item to ANOTHER player.
Apologies for not replying sooner. The APIs which are being restricted on January 15th do not affect RoPro for the most part, however one which does affect us is the “POST v1/trades/{tradeId}/decline” API. The RoPro extension uses the trade decline API for a number of features which help make trading easier for our users:
- Decline or cancel trade from within trade notifications
- Automatically cancel missent outbound trades
- Decline low value inbound trades
I think disabling the other trade related APIs is a great decision, as these have historically only been used for malicious purposes. However, the decline trade API is limited in scope regarding the damage it can do within a malicious extension, and it provides significant value for our users everyday to make trading on Roblox more fun.
I ask for the trade decline API to remain accessible to extensions. The upcoming RoPro update, v2.0, adds OAuth integration via Open Cloud which will allow authentication for this API and others via OAuth2 tokens, so this will not be a concern once we finally get the update out (assuming this API is added to the list of supported Open Cloud APIs).
4 Likes
The act of joining a game cannot give someone your password or any other information to break into an account. Pls don’t scare people like this.
Either you aren’t telling us something or you got compromised through other means.
2 Likes
Do you want to see the game I was joining?
No, I’m okay. I’d rather not have people get their accounts compromised. (If what you say is true)
Thanks you! We reviewed it internally and decided that we will refrain from enforcing Account Session Protection for now until it’s supported on OpenCloud.
Thanks again for the prompt feedback!
6 Likes
W update ngl, expected this for awhile. Same goes for other platforms out there.
so… is this getting enabled td?
I’m really glad that this is finally being worked on but as of today (01-23-2024) it seems like I can still get into my alt account using the cookie. Yes i’m using two different computers and I’ve even gotten my friend to get into the account without I’m ever being logged onto his pc. Is this still in the works or should it be working right now?
It is still not enabled for some reason
1 Like
Hi Developers! In the spirit of transparency, we want to provide you with an update on our timeline for enforcing Account Session Protection on the Roblox domains listed below. We now expect to roll out by the end of June 2024 at the latest.
As our team at Roblox got to work on this enforcement, we came across some technical questions that required more in-depth discussions. We always work to put out the best solutions in place, and this one is taking a little bit longer than we expected.
We appreciate your patience and will provide you with further updates over the coming months!
6 Likes