I believe this is coming soon: Open Cloud API Keys Now Support Groups!
1 Like
Coming soon is not enough. This update breaks my applications and is also very counter intuitive - Roblox encourages us to authenticate with cookies when making API requests - even when we do not necessarily need to be authenticated, and gives us higher rate limits. This change is good for security but cannot be rolled out until there is another solution.
EDIT: Maybe we can see a solution as to whitelisting IPs, such as many other providers offer? This would allow me to whitelist my VPS.
4 Likes
What are you on about? There is only one time the captcha is needed which costs about 5 cents, and thats to retrieve the account cookie. The amount of members does not matter.
1 Like
Alot of services use multiple IPâs which would mean every time the service needs to do something on another IP it would need to complete a captcha, you canât assume that Chris uses a fixed IP for everything.
2 Likes
Roblox decided to use a wrecking ball and destroy every application that uses their APIs with this updateâŚ
I use proxies for my ROBLOX projects constantly & with this brand new update coming into play, I receive 401s always & every cookie invalidates. This has to be possibly the worst update they have come up with⌠by farâŚ
Please revert this update; all of these applications have gone into the wasteland after this update & which makes it impossible to use the API without getting rate-limited or receiving an unauthorised response.
4 Likes
Thatâs not how it works, if youâre running it on a VPS, probably do more research?
How this works is that itâll grab a new Roblox account cookie if the cookie is invalid, this is repeated.
1 Like
God this is gonna mess up a ton of bots and websites.
What I would love to see is the Roblox team make it more easy for us to create applications with the web endpoints. Ngl the guide itself is not that clear for beginners.
1 Like
Just install some type of GUI (of the many we have) on this machine, and after that clean it up or disable.
1 Like
Why could they not just make 1 user per cookie, or just stop the hacker from logging in but without expiring the whole cookie? (This is just a question, if they canât do that itâs ok.)
1 Like
Sorry for the late reply, but thank you for clarifying it. I didnât even consider them.
2 Likes
I had this happen to me, took me a bit to realize this was why the authentication was never working.
Quick edit: @aze_rty provided a significantly better solution that works on lower-end servers. I didnât take into consideration system resources for most situations where a lightweight VPS is all thatâs necessary, so this solution isnât very useful or helpful to most.
To solve this, I just used X11 forwarding over SSH to pop open Firefox and sign in that way. Itâs extremely simple if you have the latest version of Windows 11 (Build 22000+) and WSL 2.
ssh -XC user@server from WSL 2 running Ubuntu 20.04 on Windows 11
-X enables X11 forwarding
-C is for data compression (loads everything a bit faster, but expect severe input delay and lag regardless if this is enabled)
After that, you install Firefox through your package manager and just run it. I canât speak for what issues others may run into, but it was that simple for me.
4 Likes
I tried to reproduce this issue with two different VPNs on Edge browser but couldnât do it. why is it not happening to me? is it fixed?
2 Likes
Itâs either fixed or rolled out to only selected people.
1 Like
Try doing this with 0.5 mb of ram on a 3 dollar VPS and it wont go well.
Proxy into the webserver instead.
3 Likes
Itâs out for group of users. Itâs called A/B testing.
2 Likes
As if this is not the lazy way out to the security problem? This does not solve the issue of victims who have their credentials wholly compromised, and guess what, the same guys that used to steal the cookies will start stealing the credentials instead.
This does nothing to solve the issue of malicious users stealing currency and items, this is more aptly resolved with something such as 2FA on purchases, trades, etc. Steam does the same thing already, on IP change, instead of invalidating the entire user session, they simply make sure that all actions that involve a currency, item, or even account configuration require 2FA validation.
1 Like
I donât really know what thatâs supposed to prove, but okay.
1 Like
Oof. Yeah, I didnât think that one through. I have a pretty crazy server that hosts a multitude of things. Youâve definitely got a significantly better solution, thanks!
I wanted to see how simple this was, and itâs super straightforward. Iâll also provide steps for that.
ssh -D <port> user@server (you can run this natively on Windows, no WSL needed)
You can then go into your browser settings and set your SOCKS5 proxy to 127.0.0.1:<port> and youâll be connected! Watch out if youâre signed in to Roblox already however, because itâll boot you out for having your IP changed.
Also a heads up to @AEW745, you shared a good chunk of your ROBLOSECURITY cookie so make sure that gets invalidated just in case. I also donât really know anything of âTouchVPNâ and it looks very suspicious at first glance, it could be feeding off your data so be wary of what you sign into with that.
1 Like
oh yeah dont be using touchvpn thats a âfree vpnâ on the chrome webstore its just a massive data harvesting app ive used it to just bypass school security systems lol
1 Like
Iâd imagine this wasnât officially announced as its sort of an account security change as this makes cookie logging near impossible which is awesome, but⌠they just kinda threw web devs, ranking bots, among other devs uner the bus⌠Ah robloxâŚ
tldr; EPIC DUB for account security against cookie logging, sucks for web devs.
1 Like