Issue Type: Other Impact: Very High Frequency: Constantly Date First Experienced: 2021-04-06 00:04:00 (-05:00) Date Last Experienced: 2021-04-06 00:04:00 (-05:00)
Reproduction Steps:
Games that contain the malicious code within at the time of writing have been sent via a private DM attached to this message. The allegedly malicious code scraped by another user has been included in this message.
If you know how this is done, do not post reproduction steps publicly, send them to @bug-files and link that in your reply instead. If you know of other games that contain the malicious code, please DM them to @bug-files and link the private DM in your reply instead of posting the link directly.
This is printed immediately before the screen appears. The camera also zooms out and the chat bar becomes blank if you were typing in it. Allegedly the purchase prompt is behind the GUI, some users have reported being able to see it by messing with the window.
How did this happen? This script is inserted into your game and infects your game. This script does a few things, It first checks the integrity of the client by sending a remote. But if not then theyâll advertise to you. Advertising the bad/infected products. If they cannot advertise to you then they will attempt to teleport them to one of their own games.
Information This Zero-Day exploited the rendering engine built into the roblox client. This is done by spamming or using a large ammount of text to overload the interface. Various UIâs then start to be disabled and eventually become invisible
The reason the Hackers can show their Gui is because of the ZIndex behavior property. Theyâre displayed on an entire different system. Meaning one system can die, whilst the other is displaying fine. Robloxâs Gui is still on the first ZIndex, Meaning that the Rendering ability for that ZIndex is broken. But not for the other ZIndex.
Many anti-cheats use this to hide their scripts as when theyâre activated or viewed their client ends up being crashed and their topbar/f9 console/core gui crashes together.
This Zero-Day essentially made the CoreGui invisible. Allowing an exploiter to create their own Interface over the top of a Marketplace Gui. Meaning that they could trick the client/player into clicking that same marketplace âPurchaseâ Button as theyâre in the same position.
This exploit has infected alot of games, leading me to think it was a previous ServerSide or exploit which had already infected games. They hook onto âOnUnmutedâ DefaultChatEvent and teleport the player to a new game. This game then forces them to essentially verify their client. Purchasing the asset.
Assets IDs
3257405595 (Prompt Purchase. Most likely a product)
some reports came in and were discussed on YouTube about games which were able to bypass the purchase prompt entirely and instantly charge users with no confirmation.
Said games would instantly remove the userâs robux upon joining via a dev product, with no confirmation.
This appears to be targetted as the games would then be set to private but still, that appears to be a pretty serious vunerability and should be investigated for being a security flaw.
Couldnât be some kind of popular plugin that might get modified and put these kinds of stuff? like a plugin developer got hacked or some kind of stuff and someone modified the plugin to include the malicious code
Another historic case of when similar happened was when MeepCity was backdoored by tubers93. Tubers had blocked the leave button with a jumpscare, so when you clicked there youâd just be jumpscared. The only way to leave was forcing close the Roblox client.
Check NonReplicatedCSGDictionaryService. If you see some folders with trash memory as the name, that could be a potential entry point for this virus, and you should delete them.
This seems to have been planned over a long period of time. Perhaps the creator of a widely used plugin was compromised and the plugin was updated to be malicious?
The user/users who made these scam places seem to have a group. This group is selling a 100 robux t-shirt and according to the comments, this is what you buy if you press the continue button. This group is pretty sketchy, as the true owner of the group is not in the owner slot, probably to avoid being terminated.
I agree with what you are saying. As one thing that people sometimes do is give all permission to one rank under Owner and put no owner or a bot owner so that they can still manage the funds and do all that but no other harm can come from it.
Regardingâs to this thing what you should do is get an Anti-Virus plugin that will track and alert of all possible threats as it will help you track down what is where it is since one of our devs had a plugin that was compromised and kept putting these scripts in as many hidden places as possible. But I believe that it is an Asset that has been compromised and the require(1234) Has been changed to their new Malicious one. So it will be a little harder to find. (This is just a theory)
Prompt purchase guis always on top due to the fact that they are in the CoreGui service, and regular scripts canât even look at it, but it seems like plugins can look and modify it
Seems a little intense. I just wonât purchase any items.
EDIT: It seems I misunderstood the post. Yes, I wonât be playing roblox for the time being.
Does anyone who has seen this in their game mind telling me the list of plugins and models they used? Iâm trying to find the asset the user is using to inject code into the games.
