I think its currently patched, as I’ve got no more reports
This happened to me 2 days ago. Lost exactly 998 Robux, and I will be emailing Roblox support now.
EDIT: Here is some information on how I believe this happened to me.
Basically, when I joined a game (not owned by me), it showed a UI that covered my entire screen and told me to click on animals as they popped up. They came left, right, top, etc. My theory is that some point during that “verification,” a Robux Gamepass purchase prompt appeared (which I was unable to see), in which the animal appeared in the same spot on where you would normally click on “Buy” to a Robux purchase. Very well designed UI I have to say, this scam must’ve been in the works for weeks.
As I mentioned above, I was unaware of this purchase until noticing that my Robux was down and by checking my recent Transactions. Hope this helps, and I hope I receive a response back about my missing Robux soon.
2 Likes
While I agree CoreGUI being put behind UI in this instance is not good, it still undermines the other large issue here.
The fact that this appears to be happening is because developers are inserting free code that they’re not vetting. This is a you issue, not a roblox issue for that specific bit. That said, your issue should just be listed as “UI can be shown over the CoreGUI”, as this could be used in both a malicious and legitimate purpose to override CoreUI.
The impact is NOT and in my opinion shouldn’t be listed as High Impact. It effects select games that have somehow had scripts made by others inputted into them. Filtering Enabled integrity still works, and a user would only be able to effect their things, not others.
That said, I hope everyone gets their Robux back anyway, and that developers who are affected by this more properly screen any outside assets they use off the toolbox.
1 Like
This looks way too good to be a scam, I have a feeling they took a long time on this and it’s very dangerous, I recommend anyone who has scripts in their game to run some background checks and delete codes that have weird symbols or instances that also have strange symbols or names.
2 Likes
Very helpful thank you for letting us know!
CoreGUI should NEVER be able to be overridden or hidden by developers; the entire reason why it was possible at all was because of an oversight causing coregui to crash.
If a malicious dev wanted to (and was able to), they could develop pseudo malware by disabling it. CoreGUI is the only way some younger or computer illiterate folks on Roblox even know how to leave a game if it’s full screen; not everyone understands what ALT F4 or Task Manager is. Some people don’t even know how to alt tab.
In fact if these devs who found this exploit cared about more than making a quick bobuck so they can buy a limited or whatever, they probably could have made this so called pseudo malware; maybe even have users login with username + password then have them even enter a 2fa code if necessary so they can just save a roblosecurity token for future malicious use, then maybe even turning overwriting all of that person’s games with the malware.
It could have caused major issues but luckily the exploiting community is not coordinated enough to pull off something of this scale.
It’s even worse in the UWP version of Roblox on Xbox or Windows 10 where logging in is actually handled by the client so someone could create a virtually indistinguishable fake.
Hell maybe they would’ve even been able to ask users on Xbox for xbox live credentials and some people would’ve fallen for it.
If Roblox implemented a way to override CGUI rather than patching this exploit then I guarantee something like that would be pulled off eventually.
7 Likes
I was wondering why i lost 1k robux till i saw this. Good to know people have already picked this up!
1 Like
If you are a developer TURN OFF Allow Third Party Teleports RIGHT NOW!!! There is no reason to not do so! (Unless you known you rely on it)
Also it is very likely that the setting might be on by default for older games so you should check your game settings in Roblox studio RIGHT NOW!
Also if you don’t have any admin command scripts in you should also disable Allow Third Party Sales as well! Check them also in your game settings NOW!
2 Likes
So as I can understand, if it’s done with overloading UI with texts and making it crash, what if it gets added by server? I might be wrong and I don’t exactly know how this prompt works but if it’s there from the start locally then what if server puts it when a purchase was prompt?
From what I understand of how Roblox works, the gui prompt (with the buttons) is written in Lua and is part of CoreGUI (which is what the exploiters overload and crash) but clicking the button does not actually run any lua code.
There is another script inside the client itself (I believe in C++) which actually handles purchases. It just detects if the mouse is over the purchase button when you click it and if so it will complete the purchase.
The C++ code however does not check for the Lua gui so if that is disabled somehow the purchase can still go through. It just assumes the gui is displayed properly.
2 Likes
Yeah, exactly what I meant. There is probably a separate code for purchases which is not connected with the GUI.
When I first encountered this, I was like “this is probably a roblox captcha”. Thankfully, I didn’t have a lot of robux on my account.
1 Like
I’ve seen lots of scam games online that do a ‘How many times can you click’ with a big robux prompt behind. The victim lost around 15k robux in one click
1 Like
I am researching this experimentally. Im not sure how they did it, if they changed the prompt transparency, but I managed to replicate an effect in roblox studio without inducing the user to click. Im guessing I can’t say it here and if you want to know how I did it Im very happy to get this patched
Unfortunately this scam is built on scam games made by scammers, I’ve never seen cases of this happening on pre-existing games as it would need modification of coregui scripts which can’t be done by scripts, however disabling Allow Third Party Sales and Allow Third Party Teleports is useful advice as there are still “Loading…” scripts which can attack games, mostly in hijacked admin scripts and insert backdoors and track the game with the backdoors using discord webhooks. I covered how they worked in my blog called RBXDevnotofficial. Link to article
This code disables backpack and emotes. Something which is useful for developers. Disabling an user’s chat might me userful for moderation ingame too. With what I understand, purchaseprompts do not get disabled when SetCoreGuiEnabled is run on (Enum.CoreGuiTypes.All, false)
2 Likes
I really doubt you got a PromptPurchase dialog, visible or not, to confirm with zero mouse input from the user, could you elaborate on what “without inducing the user to click” means?
I doubt that since it’s just clicking the buy button
Well not really. Most of these work because there is a malicious script in a legit game which teleports to a fake game and once you purpchase it it teleports you back to the original game. See Scam Exploit ! (help on how to resolve?) as an example.
1 Like