UPDATE: This was not an innocent bug. Someone has completely stolen the entire game (server scripts included) and republished it. Here’s a video of the bug in action: - YouTube
Hello!
Recently, we (Skate Central) have been receiving an alarming amount of reports from our userbase stating that players are randomly receiving the hammer icon in our game. We also received reports that they were getting access to the server console, however, we were able to (thankfully) verify that this was false. The issue of the icon still appearing is still very much so prevalent in our game.
We’ve checked all of the permissions/anything that could be causing this to happen, but are left scratching our heads. The permissions for the game’s access are properly configured (for context, only 3 people have studio access out of our development team of 12 people) — here’s a screenshot. Because this happens to such a small subset of our playerbase, we haven’t been able to identify any constants or steps to reproduce besides the fact that it happens to people in one specific rank in our group (Elite Skater).
Another thing that has happened is that a player has tried to scam other players and use the status of “developer” to persuade them to buy them things like Roblox gift cards. So far we haven’t heard of the bug happening in any other games, but if this has happened in yours please feel free to add on to this post. Here’s a link to our game.
Any advice is appreciated. Thank you for your time!
This has happened to me before. Chances are, said user might have been a developer in the past. If you disable team create and enable it again, you can probably find their user in the Permissions tab in Game Options.
I wish this was the issue, however at no point were any of the users getting it developers in the group. We’ll try disabling/re-enabling team create though and I’ll edit this post with the results. Thanks for the suggestion! Hopefully I can return with good news.
I’ve reread your post and I’ve actually misread. I thought the user was getting access to the server console. This seems like a leaderboard bug indeed.
Oh! That’s actually a really clever idea, I wouldn’t have even thought to check using that. At first we were told that they did have access to the server console which caused a (justifiably) large amount of panic within our development group, but we think they might’ve just assumed because they could see f9 they had access to the server logs. Thankfully we were able to work with one of the people and they didn’t have access.
Adding on to this, it appears people can also see various developer related options on the website.
Despite not being a developer and not having any type of edit permissions on the game. Users can’t actually access or use any of these options it appears, but regardless this is pretty sketchy.
Player was able to shutdown all our servers and edit the game. We have quadruple checked our permissions for every roleset and checked it for the game itself.
I’ve never seen anything like this before. Are you 100% sure these players don’t have any permissions? Someone on the dev team could be sneaking them permissions?
A serious issue, ROBLOX is needing to fix this problem fast and now. If this spreads it can become a big problem.
This is very serious for all the Developers of Skate Centeral. You guys should reach out to Developer Relations ASAP. I will try and help you guys by reaching out to Developer Relations on Discord, I wish for the best.
And you’re 100% sure no one on your team is sneaking people permissions? I don’t think it’d be unheard of.
The reason I’m doubting this is a bug is because this doesn’t appear to be happening to any other games, and I haven’t heard of a bug like this happening in years.
To add to this, the people who do have access is limited to only 3 individuals (StarMarine614, retro_mada, and mrflimflam) which hopefully illustrates how locked down we’ve tried to make our game.
And how do you know this doesn’t affect a plethora of existing games? I don’t foresee something like this being isolated to one game. Also… the ability to shutdown all servers, gain full edit access, and save changes to production when you have no ties to said place isn’t a critical issue that needs immediate recourse…?
I would like to point out in the video posted above, when the person refreshes their page they have completely different options. Sometimes they have every option that a normal developer would see, and sometimes they don’t have anything, and sometimes they just have a fancy edit button.
There is nothing in audit logs, no changes in-game to permissions and the only people who can change those permissions are StarMarine, MrFlimFlam and I.
StarMarine has been away for 3 weeks on a business trip, and MrFlimFlam would never in a million years think about touching those even for a video. Also, unless I’m changing these settings with mind control, I’ve never touched them.
If this is still spreading, and users are still getting permission. I would say the best thing to do is currently have the game shut down until this is solved. These users must be getting developer permission IN-GAME.
The only other way users are getting permission is a developer giving someone permissions.
