Malicious code is able to show UI over the purchase prompt, and trick users into purchasing items

I agree with what you are saying. As one thing that people sometimes do is give all permission to one rank under Owner and put no owner or a bot owner so that they can still manage the funds and do all that but no other harm can come from it.

Regarding’s to this thing what you should do is get an Anti-Virus plugin that will track and alert of all possible threats as it will help you track down what is where it is since one of our devs had a plugin that was compromised and kept putting these scripts in as many hidden places as possible. But I believe that it is an Asset that has been compromised and the require(1234) Has been changed to their new Malicious one. So it will be a little harder to find. (This is just a theory)

Prompt purchase guis always on top due to the fact that they are in the CoreGui service, and regular scripts can’t even look at it, but it seems like plugins can look and modify it

Seems a little intense. I just won’t purchase any items.
EDIT: It seems I misunderstood the post. Yes, I won’t be playing roblox for the time being.

Does anyone who has seen this in their game mind telling me the list of plugins and models they used? I’m trying to find the asset the user is using to inject code into the games.

Roblox should fix this immidiately. This is very malicious.

Here are some posts where people who had this issue shared their plugins:

Is there any place where this can be reproduced or does this occur randomly?

If only Roblox would do something about this instead of endanger their developers and players

IMO this justifies a R0BL0XCRITICAL post for immediate attention and rectification from whoever’s responsible.

People manipulate the young Roblox audience into believing this is a legitimate Roblox captcha, which is recognisably similar and commonly seen throughout the Roblox website. To capitalise on a Roblox vulnerability that allows UI to overlap CoreGUI elements like a prompt.

This threat needs to be secured ASAP before it becomes a commonplace technique to extort Robux from users.

Yeah, we need to make sure Roblox also knows that the owner is not in the owner slot and is instead a rank below owner.

This is a problem, one of my friends on discord claimed that this could grab your ROBLOX account password and IP. Is this true or not? Guessing it can’t do either.

No, not unless you put it in yourself, there’s no way to grab another persons IP or personal info through this.

Just so it’s public knowledge, roblox-critical does not do anything anymore. Please do not suggest its use because it is just noise, it’s just a token gesture to make people feel better. Roblox knows already, so this is not useful.

I doubt this is true, passwords are usually hashed when kept in databases so whoever is behind it would have a hard time deciphering them and logging into your account. Anyways, it’s most likely false that they can get your account credentials and IP from you clicking that GUI. It might give them your clients IP, but that’s nothing to worry about.

A user that appears to be behind this scam (they have the group that is selling a shirt that scammed users) has items that cost robux on their account, leading me to believe that the people who orchestrated this compromised that user and probably others too.

This can’t be good. I can forsee this getting worse in the future if nobody does anything about it.

Thanks for the report! We’ve filed a ticket to our internal database and we’ll follow up when we have an update for you.

Thank you so much, whatever this person did is terrifying. Please do all of your best to get to the bottom of this!

I’m theorizing that they had some way to make the core gui invisible, but this is on a whole other level that I’ve never seen before.

im pretty sure they layered a ton of other UIs ontop of the core gui so it unloaded, i’m not 100% sure though

A very similar problem has existed for a long time where you can trick someone into clicking a gui repeatedly then in the same space a purchase prompt appears when they aren’t expecting, causing them to accidentally make a purchase. I don’t think that issue is fixed either.