MarketplaceService:GetProductInfo() allows any game to grab individual asset sales data from UGC creators without their knowledge or permission. This is how UGC Tracker - Roblox operates, along with any game that wants to surreptitiously gather user sales data. As soon as the user joins a game, it begins scanning their entire sales history.
Expected behavior
MarketplaceService:GetProductInfo() should not return the Sales property or it should always be 0 instead of being populated when the user joining the game has access to the given asset.
isn’t this supposed to be public? you should be allowed to see how many sales a user has on their items especially since it’s other people buying the items. i don’t see the point of this being hidden.
If you or I access that item print(game:GetService("MarketplaceService"):GetProductInfo(4904654004, Enum.InfoType.Asset).Sales) it prints out 0 sales. The only person who gets to see that is @maplestick – but if they happen to join any game running this code, that game can exfiltrate their entire UGC earnings.
Most catalog and economy APIs began showing the ‘sales’ stat as 0 several months back, and I believe this was intentional because Roblox didn’t want random people knowing how much profit UGC creators make off of their items. Hence, I do think this bug was an oversight on Roblox’s end when they were making these changes. The backend API it calls probably still hasn’t been updated in accordance with the rest.
Correct me if I’m wrong, but are they calling :GetProductInfo() on the UGC creator’s client to authenticate as them when they join the game, then getting the Sales value and sending it to the server to store for everyone to see? If so, that’s pretty malicious… wow.
Also, I’m pretty sure certain games rely on the functionality of this stat so Roblox may not consider removing it. For example, let’s say there’s a catalog shop game where you can sell your avatar items and you have a dashboard displaying all of them with a ‘Sales’ stat for each. Removing this would technically make it impossible for this stat to function anymore… and plus, all the APIs actually return the sales stat as long as the authenticated user is the creator of the UGC item. Really interesting.
A catalog game would usually be tracking sales made in-game via PromptPurchaseFinished(), as opposed to that item’s global sales. I feel like this either needs to be patched entirely, or go through an explicit permission flow the way Inventory access works today
This is exactly what UGC sale counter experiences do. Many UGC creators quite literally rely on these experiences to count up their sales, so ironically ‘fixing this issue’ without providing a safer alternative may actually lead to more anger in the people who would most benefit from it. For the time being, until some safer alternative is implemented (which that in itself should probably be a feature-request) it’s probably best that this bug remains.
Was this meant to be a reply to my reply? I didn’t receive a notification because it wasn’t marked as one. Many UGC creators still use these experiences to show off their sale counts to others, something that isn’t easy to do elsewhere without being accused of inaccurately counting it. The new dashboard also doesn’t support all-time sales.
I get the desire to have global leaderboards – I wish this was something creators could opt-in through explicit permission as opposed to literally any game can access your sales
Unfortunately, this is not a good enough replacement. We need to see the exact sales for all of our items while the analytics dashboard only shows sales for the top 200 items. It looks like this bug was fixed, but before Roblox offered a replacement.
Both @signal_zzz and @konormcgregor15 are actively working on the UGC analytics improvments. The lack of response to this thread makes me question whether or not anything was “fixed” and if the API is just unrelated broken. It still returns sales data for instance, but it hasn’t been updated in a few days.
The behavior changed just recently to where it returns 0 in games like UGC Tracker and Catalog Avatar Creator. Purchase count is still outdated when I access the API normally though.
Basically. It isn’t very reliable though because you have to download the data and sort it daily. On top of that, some creators can’t even view their CSV download because they have so many sales that no programs will accept it. We can also just use the API directly (when it works again) but it should be more accessible.
As mentioned above, it seems like Roblox has swiftly fixed this vulnerability. You may want to mark one of these posts as a solution as the root issue here has been fixed.
