Password reset floodcheck bypass

We are actively investigating now. Thank you all!

For now, I would advise everyone to block no-reply@roblox.com and only unblock them when you are expecting an email, such as for 2FA. Hopefully this will all be sorted out soon!

I’m just sending all emails from roblox to a folder called “roblox spam” lol. I created a gmail filter to do it for me automatically.

Itd be neat if we could see the IP of the computer that requested the password reset, so its not as obscure. This would also discourage some people from doing it

They probably aren’t allowed to do that.
I’m just curious to know how these bots got our emails in the first place, and why this isn’t setting off any spam filters automatically.

Can’t you request a password reset with only a username?

Didn’t you used to be able to request a reset with a username in the past? Maybe that endpoint is still functional.

My guess is they scraped the DevForum for names and did just that.

You can. If you’re on gmail, click “show original”.

I guess that sounds plausible, but it doesn’t explain the randomly varying letter case in the emails being sent to me. It almost seems like the email address is being targeted directly somehow.

Getting spammed down as we speak. I’m surprised over how they know my email.

Just started receiving password reset emails. Hope this gets fixed soon.

I just refreshed my email and got three of these, too. However, I read this thread this morning and immediately thought of Clone’s issue.

I have 2FA enabled, but no PIN.

image854×243 16.5 KB

The only other thing I can think of is that they somehow got into the DevForum’s underbelly and got the emails that way.

They do not know emails. I changed mine and I’m still receiving them. There must be an endpoint that doesn’t require it.

~~This could be bad, if they are able to get everyone’s emails, this means that Roblox is effectively a giant document of free emails to use for spamming and phishing emails. This is collection #1 all over again. I wouldn’t be surprised if Roblox showed up on this site soon: Have I Been Pwned: Page not found

Confirmed it was Username based

@Reshiram110 That gives you the IP of Roblox’s mail server, not the IP address of the person requesting the password reset.

That’s what I’m thinking. But why are they spamming it in the first place? They have nothing to gain by doing this.

I know, but it’s the same mail server sending me the emails, so we’ve narrowed down the server that is causing the issue (at least for me, anyways).

If the engineers can get access to the server they can probably do a backwards network trace from there to see what endpoints are accessing it, and who is accessing said endpoints.

Perhaps it is just boredom.
Either way, whoever is doing it I hope they get caught.

They’ve actually got quite a bit to gain. By spamming a mail server like this, you can get it to send out very sensitive data in the form of errors, this gives exploiters insight into how the system works, potentially leading to an exploit that will expose very important information, such as the keys used in password reset tickets.

Seems patched now. Roblox must have deactivated the old endpoint. Emails weren’t leaked, they used an old endpoint that required a username.

Shucks just found it on the way back machine. Guess I can’t test it but glad it’s fixed finally.