Pre Scriptum: I can’t post in Bug Report and most of the others channels
The Roblox Web API contains cruical vulnerabilities, and as far as I know API isn’t something that’s easy to change BUT I’ve seen that WITHOUT VERIFICATION client can view own robux ammount, change skin and something more. And that’s ok, but “The Client” that I meant is the HTTP(r whtevr) Request Sender and so Web-site developers, Roblox ClientScripts*, PC Programms and every other object that can send requests from client have an access to private data&actions!
*Personally idk if Roblox banned LocalScripts from requesting roblox.com and/or their subdomens in code in code.
I’m begging Roblox to provide an attention, but not just delete those but make some sorta sessionToken bc the features like the userId retreiver are helpful and well-made API will make Roblox better.
Ed: even my emote character was made bc of request stuff
EDIT: Much of those are protected with .ROBLOSECURITY cookie, my post makes not much sense, but programms can bypass limitations with user redirection if that’s something post alike
Okay, but you need to be logged in for that to work. So if someone wanted to check my robux or log me out, they’d first need to get my password and get past my 2fa. Unless I’m misunderstanding something of course.
And bc that’s request every client application such as .js files on websites can access it
Edit: but for those you need to be logged on roblox.com and unnecessarily devforum.roblox.com
I don’t get it? You’re already authenticated so yes it shows on the example value. If you were authenticated from the application sending the request, then it would be able to get the responses of these endpoints as well. Even then, the currency endpoint wouldn’t be a critical vulnerability, but the logout could be - again though, assuming you could execute the request on anyone.
I think you’ll need to supply a stronger test case than just clicking on these links or reading the values on the endpoint trial pages. That being said, if you found a genuine website vulnerability that could leverage these endpoints against non-authenticated users (e.g. logging anyone out), the alternative option would be reporting via the HackerOne Bug Bounty Program.
Yeah, I was a bit too fast, didn’t noticed the cookie.
By the way, there can be a file that opens links automatically, and there much more APIs but that’s even less than stealing security cookie itself so I don’t think my post is really valuable.
