Malicious code is able to show UI over the purchase prompt, and trick users into purchasing items

Issue Type: Other
Impact: Very High
Frequency: Constantly
Date First Experienced: 2021-04-06 00:04:00 (-05:00)
Date Last Experienced: 2021-04-06 00:04:00 (-05:00)

Reproduction Steps:
Games that contain the malicious code within at the time of writing have been sent via a private DM attached to this message. The allegedly malicious code scraped by another user has been included in this message.

If you know how this is done, do not post reproduction steps publicly, send them to @bug-files and link that in your reply instead. If you know of other games that contain the malicious code, please DM them to @bug-files and link the private DM in your reply instead of posting the link directly.

This is being discussed here:
https://devforum.roblox.com/t/this-roblox-virus-is-getting-worse-and-worse-moderators-notice/1153529
https://devforum.roblox.com/t/a-ton-of-people-having-issues-with-a-strange-popup-that-spends-your-robux-without-asking-in-games/1153377

Expected Behavior:
CoreGui should never be able to be hidden behind user GUI, and it should never remain functional.

Actual Behavior:
There is a purchase prompt hidden behind user GUI that attempts to trick the user into purchasing an item.

image3138×1813 95.7 KB

This is printed immediately before the screen appears. The camera also zooms out and the chat bar becomes blank if you were typing in it. Allegedly the purchase prompt is behind the GUI, some users have reported being able to see it by messing with the window.

RobloxPlayerBeta_2021-04-06_22-08-041177×599 81.6 KB

Workaround:

This was also experienced & discussed in this post and this post.

I’ve also had to private one of my main games due to this, hopefully this issue can be resolved asap!

Important Removal And Security
Search KeyBind: Ctrl Shift F

Basic

• Remove any script with the name Halal.
• Disable Third-Party teleports
• Disable Third-Party purchase
• Remove any old/suspicious scripts
• Remove any “OnUnmuted” Connections
• Search for Depricated Methods:
  • Game:Service

Most Effective

• Go to settings, Disable The following
  • Allow Third-Party Sales
  • Allow Third-Party Teleports

image959×633 35.5 KB

How did this happen?
This script is inserted into your game and infects your game. This script does a few things, It first checks the integrity of the client by sending a remote. But if not then they’ll advertise to you. Advertising the bad/infected products. If they cannot advertise to you then they will attempt to teleport them to one of their own games.

Information
This Zero-Day exploited the rendering engine built into the roblox client. This is done by spamming or using a large ammount of text to overload the interface. Various UI’s then start to be disabled and eventually become invisible

The reason the Hackers can show their Gui is because of the ZIndex behavior property. They’re displayed on an entire different system. Meaning one system can die, whilst the other is displaying fine. Roblox’s Gui is still on the first ZIndex, Meaning that the Rendering ability for that ZIndex is broken. But not for the other ZIndex.

Many anti-cheats use this to hide their scripts as when they’re activated or viewed their client ends up being crashed and their topbar/f9 console/core gui crashes together.

This Zero-Day essentially made the CoreGui invisible. Allowing an exploiter to create their own Interface over the top of a Marketplace Gui. Meaning that they could trick the client/player into clicking that same marketplace “Purchase” Button as they’re in the same position.

This exploit has infected alot of games, leading me to think it was a previous ServerSide or exploit which had already infected games. They hook onto “OnUnmuted” DefaultChatEvent and teleport the player to a new game. This game then forces them to essentially verify their client. Purchasing the asset.

Assets IDs

• 3257405595 (Prompt Purchase. Most likely a product)
• 6647166612 (Teleport, A game place.)
• 2489606748 (Owner ID of bad game)

Heard about this issue over Discord, it seems to be getting worse and worse. Maybe ROBLOX should do something about it?

In the same sort of area I suppose,

some reports came in and were discussed on YouTube about games which were able to bypass the purchase prompt entirely and instantly charge users with no confirmation.
Said games would instantly remove the user’s robux upon joining via a dev product, with no confirmation.
This appears to be targetted as the games would then be set to private but still, that appears to be a pretty serious vunerability and should be investigated for being a security flaw.

SharkBlox’s Video on said games.

You can play trustable games, it’s a virus in free models and plugins

This is also discussed here:

Couldn’t be some kind of popular plugin that might get modified and put these kinds of stuff? like a plugin developer got hacked or some kind of stuff and someone modified the plugin to include the malicious code

it has happened to us before, we have a group named Earth Party and it happened to Discussion Center.

image425×524 50 KB

Says they saw it some time in Feb.

Another historic case of when similar happened was when MeepCity was backdoored by tubers93. Tubers had blocked the leave button with a jumpscare, so when you clicked there you’d just be jumpscared. The only way to leave was forcing close the Roblox client.

Check NonReplicatedCSGDictionaryService. If you see some folders with trash memory as the name, that could be a potential entry point for this virus, and you should delete them.

i feel so bad for every on who literally has been robbed out of there ROBUX hope Roblox fixes this quick

This seems to have been planned over a long period of time. Perhaps the creator of a widely used plugin was compromised and the plugin was updated to be malicious?

The user/users who made these scam places seem to have a group. This group is selling a 100 robux t-shirt and according to the comments, this is what you buy if you press the continue button. This group is pretty sketchy, as the true owner of the group is not in the owner slot, probably to avoid being terminated.

I agree with what you are saying. As one thing that people sometimes do is give all permission to one rank under Owner and put no owner or a bot owner so that they can still manage the funds and do all that but no other harm can come from it.

Regarding’s to this thing what you should do is get an Anti-Virus plugin that will track and alert of all possible threats as it will help you track down what is where it is since one of our devs had a plugin that was compromised and kept putting these scripts in as many hidden places as possible. But I believe that it is an Asset that has been compromised and the require(1234) Has been changed to their new Malicious one. So it will be a little harder to find. (This is just a theory)

Prompt purchase guis always on top due to the fact that they are in the CoreGui service, and regular scripts can’t even look at it, but it seems like plugins can look and modify it

Seems a little intense. I just won’t purchase any items.
EDIT: It seems I misunderstood the post. Yes, I won’t be playing roblox for the time being.

Does anyone who has seen this in their game mind telling me the list of plugins and models they used? I’m trying to find the asset the user is using to inject code into the games.

Roblox should fix this immidiately. This is very malicious.

Here are some posts where people who had this issue shared their plugins:

Is there any place where this can be reproduced or does this occur randomly?