Password reset floodcheck bypass

BusyCityGuy · May 10, 2019, 5:25am

I just got another one 0 minutes ago

Tone · May 10, 2019, 5:25am

This attack was different than yesterday’s attack. We have shut down this endpoint for now.

Noble_Draconian · May 10, 2019, 5:25am

Hopefully you guys will find out who is behind this and take appropriate action.

Crykee · May 10, 2019, 5:26am

Could be a delayed email or an unrelated attempt by someone.

SaturnianNightmare · May 10, 2019, 5:41am

I got hit with like 10 of these earlier.

I wonder whose behind this.

Intended_Pun · May 10, 2019, 6:04am

The attack method was different? So someone is actively looking for ways to spam emails to us? Nice.

Mr_lnf · May 10, 2019, 6:29am

Just received these emails, 5+ emails since last hour ago, hopefully this is fixed soon.

Improper_Username · May 10, 2019, 6:31am

I got 5 emails, hopefully this is finally resolved

Noble_Draconian · May 10, 2019, 6:33am

I’m still getting emails, they’re gradually decreasing the interval at which they’re sent.

Is this an after effect, or is there a different endpoint being abused now?

byc14 · May 10, 2019, 7:08am

(referring to second bout of username based emails)

I’m pretty sure the person was using a legacy password reset endpoint under api.roblox.com, which accepted a username. It was actually listed under the /docs page until a few months ago.

I previously made someone aware of the legacy endpoint, however it was never removed. There’s no impact besides a slight annoyance, the endpoint was rate limited as far as I had tested it.

The first attack also had a relatively low impact on end users besides the sheer amount of spam, however could have been used to smuggle phishing emails in between the legitimate reset emails since the user had the targets email address. This isn’t possible in the method I mentioned in this reply, because the user does not have access to the targets email.

Sir_S · May 10, 2019, 8:04am

I am still receiving these but at the moment it’s at 4 and the latest was about 2 hours ago.

Sir_S · May 10, 2019, 8:05am

Just received another a second after this post.

Trioxide · May 10, 2019, 8:23am

I’ve received six of these over the past three hours. I received the last one 55 minutes ago.

Auhrii · May 10, 2019, 8:32am

Received 4 emails between 05:30 and 07:45, and received my fifth a few minutes ago at 09:26. Whoever’s doing it, they’re an equal opportunist.

byc14 · May 10, 2019, 8:49am

Just pointing out that these emails are most likely from a backlog and are only coming through now. If you visit the link, you’ll see they’ve already expired.

DataBrain · May 10, 2019, 1:41pm

Just changed my email… not sure if that was necessary.

ItsKoiske · May 10, 2019, 3:01pm

It wasn’t. Someone was abusing the old API that required one’s username to prompt the password reset process. Nothing was leaked with it so rest assured.

ItsKoiske · May 10, 2019, 3:13pm

Is there going to be an official statement on this? Seen quite a lot of people spreading misinformation on this (like this post for example). Don’t think that people who don’t have access to this category should be kept in the dark.

Ysko · May 10, 2019, 3:27pm

I didn’t get anywhere near that amount (as of the time of this post) but I still was bombarded at about 6 a.m. CEST.
Not sure why it’s being done, or how, but it’s definitely worrying.

Maximum_ADHD · May 10, 2019, 4:49pm

Still very actively receiving them.
It might be worth investigating a potential security breach.