Introducing Account Session Protection

[Update] February 21, 2024


Safety is foundational to everything that we do and this includes ensuring the safety and security of your Roblox account. That’s why we are excited to introduce Account Session Protection, a new feature that will bolster the security of your Roblox accounts.

If you use cookies to develop third party applications for Roblox such as developer automation workflow tools or browser extensions, you may need to opt-out of Account Session Protection in order to preserve your functionality in the short-term (more detail below).

The Problem: Cookie Theft

Accounts can fall victim to compromise as a result of the theft of the “ROBLOSECURITY” cookie. The cookie should never be shared with anyone, as attackers who can access your “ROBLOSECURITY” cookie can potentially gain access to your account without a password and bypassing two step verification checks.

Cookies can be stolen without a user’s permission or even notification through various means, including phishing and browser extensions.

The Solution: Account Session Protection

Account Session Protection is designed to help prevent cookie theft by associating your account’s cookie to your device. With this feature enabled, even if someone has your “ROBLOSECURITY” cookie, they will not be able to access your account elsewhere using that cookie. Starting January 15th, 2024, everyone will have this enabled on selected API endpoints.

How May This Impact You?

While the benefits of Account Session Protection are significant, it may disrupt current developer automation workflows*:

  • If you are a Roblox developer that uses cookies in your workflows, you may need to opt out of the new Account Session Protection feature to maintain your workflows. Please pay attention to the list of APIs that will be impacted, and the migration timelines listed below. Reliance on session cookies for automated workflows will not be supported long-term.
  • If you develop browser extensions for the Roblox ecosystem, this may impact your users. Please pay attention to the list of APIs that will be impacted.

*Note: API Keys and OAUTH2 tokens created through Open Cloud will be unaffected. Open Cloud authentication is designed to be shared between applications securely.

How Do I Opt Out?

  • If you have determined that you need access to some of the endpoints that will not be supported via Open Cloud, we will allow you to opt out of this protection via Creator Hub: Settings → Advanced.

  • If you develop browser extensions, please do not recommend that your users disable this protection. Comment below with your use cases, so we can figure out how to best support you. By asking your users to opt out, please be aware you’re putting your user’s account at greater risk. We do not want to put you in a situation where you have to put your users at risk.

Detailed List of Impacted APIs and Rollout Timeline

We are committed to supporting developers with the highest level of security and least amount of disruption. To make sure you can transition smoothly, we are taking two steps:

  • Step 1: We are starting enforcement on a selected set of API endpoints that have the highest security risks. Developers should not expect to access these endpoints via API in the future.
  • Step 2: Other API endpoints will be unaffected and we are soliciting feedback to inform a gradual roll out of Account Session Protection. We’ll provide a more detailed timeline after gathering feedback from the community.

On January 15th 2024 By the end of June 2024, we will enforce Account Session Protection on the following Roblox domains (Updated on February 21, 2024):

auth.roblox.com

  • Why: We do not want third party browser extensions that users install to take sensitive actions that may pose a huge security risk such as managing credentials, creating new accounts, or modifying two step verification settings.

accountinformation.roblox.com

  • We will not be enforcing the new policy on this entire domain, until we have Open Cloud replacements available for endpoints which you may need access to (for example: Roblox Badges), but we do want to lock down endpoints which could be used to promote account theft, or gain access to personal information. For this domain, we will be locking down all the following endpoints:
    • GET/POST v1/birthdate
    • GET/POST v1/gender
    • GET/POST v1/phone
    • POST v1/phone/delete
    • POST v1/phone/resend
    • POST v1/phone/verify
    • POST/DELETE v1/star-code-affiliates
    • POST v1/email/verify
  • Why: We do not believe browser extensions should be managing personal information on behalf of their users, and we do not plan to provide Open Cloud alternatives for these endpoints.

trades.roblox.com

  • Why: We do not believe that accepting, countering or declining trades on behalf of users, are things that need to be automated. If you have legitimate use cases for these endpoints, please provide us your use cases in the comments (or DM), so we can look into supporting your use case.
  • For this domain, we will be locking down all the following endpoints:
    • POST v1/trades/{tradeId}/accept
    • POST v1/trades/{tradeId}/counter
    • POST v1/trades/{tradeId}/decline
    • POST v1/trades/expire-outdated
    • POST v1/trades/send

billing.roblox.com

  • Why: We do not believe that third party applications should manage payments on behalf of a Roblox user. If you have legitimate user cases for these endpoints, please provide us your use cases in the comments (or DM), so we can look into supporting your use case.
What about the rest of APIs?

We are still formulating plans on the following API endpoints and would love to get your feedback. Please fill out this form with your usage of the following APIs so we can plan to support development workflows via Open Cloud.

We will continue to iterate on Account Session Protection going forward to make Roblox a more safe and secure place for our community.

Thank you!

410 Likes

This topic was automatically opened after 10 minutes.

Massive W update, hopefully we can also see some sort of compensation to people who were “beamed” or had their items stolen before these preventions were in place.

I know many people who lost a ton of items due to these preventions not being in place sooner.

82 Likes

Great step forward for account security! This will help prevent a lot of account theft. Great job from the Roblox team!

54 Likes

That’s a really nice move from Roblox!
Cookie thefts were a really problematic issue for users’ safety !

36 Likes

Actually nuts, glad to see this feature in action soon.

34 Likes

We currently use a bot account to automatically rank users in a group, message users, and download specific versions of a place.

This is a really good step in security in Roblox, but OpenCloud needs to be updated to suit all the current use cases before this is forced on every account…

49 Likes

Do we need to regenerate the past cookie for this to take effect, or is it already working?

21 Likes

Releasing January 15th 2024 so no, it is not working right now

22 Likes

I appreciate how Roblox is continuing to add more security features on the platform, however I must ask what took so long?

I understand some features are prioritized over others, but considering this has been an ongoing issue for years, is pretty concerning.

Will endpoints that require no authentication/cookies stay public?

24 Likes

Definitely a much needed update! I wish we had this protection way earlier, but I’m grateful that we finally will.

19 Likes

Woah, this is great!

Account theft using the ROBLOSECURITY cookie is extremely common, and it’s great to see something being done for it, without requiring user input. Hopefully this will lower account “beaming” and theft numbers drastically.

Keep up with the security updates Roblox! Great work :clap:

22 Likes

This is great! Good job, Roblox devs!

16 Likes

This is great news! So glad to see ROBLOX making these changes that improve account security! Hopefully this will put an end to the massive beaming problem within the trading community.

17 Likes

A much needed change that I’m so glad to finally see brought to Roblox! Is there any way to opt into getting this update applied to my account sooner?

18 Likes

Back to back hacker combat! Great action roblox!

15 Likes

I’m glad to see some work on account security. Though, I would like to be able choose primary method to sign-in, so if I would like to be prompted with security key first instead of password, and fallback to authentication app if I can’t use my first sign-in method, I should be able to do that. Additionally, if I may ask, what is the security measure used by the Account Session Protection feature?

16 Likes

So, are there plans on outright removing these endpoints or just adding session protection? It seems very unclear on what the plans truly are here and I am concerned that browser extensions may continue to use the “session locked” token in order to retain the ability to use these endpoints on my behalf even after this date.

Can we see this page become non-functional (IE: keep documentation, but remove the buttons to “try it out” or add a big warning to the page), this page is commonly used as a way to make people accept trades without the users truly knowing what they did.

Can we see the ability to opt back in to this protection once disabling it, this seems like a major security risk since someone malicious could turn this feature off on my behalf without any way to turn it back on without contacting support leaving my account open to more abuse while I await a support response. I know this is done to make people think twice before disabling it but it still gives me chills that this can’t be re-enabled.

20 Likes

Amazing update! Glad to see this

15 Likes

Good on Roblox for actively taking new security measures… I just hope they take us third-party developers into account. My services are reliant on Roblox’ API’s to provide me with important data.

I see, however, that you took us into account as well in this article, please keep it up like this :pray:

17 Likes