A serious issue, ROBLOX is needing to fix this problem fast and now. If this spreads it can become a big problem.
This is very serious for all the Developers of Skate Centeral. You guys should reach out to Developer Relations ASAP. I will try and help you guys by reaching out to Developer Relations on Discord, I wish for the best.
And you’re 100% sure no one on your team is sneaking people permissions? I don’t think it’d be unheard of.
The reason I’m doubting this is a bug is because this doesn’t appear to be happening to any other games, and I haven’t heard of a bug like this happening in years.
To add to this, the people who do have access is limited to only 3 individuals (StarMarine614, retro_mada, and mrflimflam) which hopefully illustrates how locked down we’ve tried to make our game.
And how do you know this doesn’t affect a plethora of existing games? I don’t foresee something like this being isolated to one game. Also… the ability to shutdown all servers, gain full edit access, and save changes to production when you have no ties to said place isn’t a critical issue that needs immediate recourse…?
Because we haven’t seen this? In ANY other game?
There are much more profitable games to target. So why haven’t they been?
Skate Park made well over 200,000 USD last month, so plenty of reason.
I would like to point out in the video posted above, when the person refreshes their page they have completely different options. Sometimes they have every option that a normal developer would see, and sometimes they don’t have anything, and sometimes they just have a fancy edit button.
There is nothing in audit logs, no changes in-game to permissions and the only people who can change those permissions are StarMarine, MrFlimFlam and I.
StarMarine has been away for 3 weeks on a business trip, and MrFlimFlam would never in a million years think about touching those even for a video. Also, unless I’m changing these settings with mind control, I’ve never touched them.
If this is still spreading, and users are still getting permission. I would say the best thing to do is currently have the game shut down until this is solved. These users must be getting developer permission IN-GAME.
The only other way users are getting permission is a developer giving someone permissions.
Hopefully this doesn’t happen large scale as I assume large amounts of people would flock to free paid-games and bring away potential buyers from the official game.
Except it’s very likely we have, but just haven’t realized it. From reports we’ve received, it appears the ability to use the exposed developer functions is very picky and doesn’t always work - especially shutting down the servers.
The ability to leak the game has been around forever with exploiting. The ability to press “Shutdown All Servers” and have a 50/50 chance to succeed as a random player is a serious (and critical) issue.
Not even sure why we’re debating the severity at this point. Even if it was one game (which I STRONGLY doubt it is), the severity of the actions made available to random members doesn’t change.
Reference to what I said before:
THIS should not even be a point of debate.
This is the ONLY report of this right now. Please read up on the rules for the critical tag.
As it’s been reinstated multiple times, this is the first report of possibly many.
Even if the issue is localised to a single game, you’ve confirmed its an issue with Roblox’s backend meaning it could easily be expanded to other games
Have you also tried informing Exploit Reports regarding this issue?
Has all users who have the hammer next to their name able to download the game etc?
In the meantime, I’d advise disabling Team Create and moving your development version to a separate, fresh game, which should clean up any funky behaviour until this can get properly diagnosed.
We’ve always used a separate place for development, and TC is already disabled unfortunately.
This might not be the best idea, but until this is fixed what if you create a copy of the current game and make the original game automatically teleport people who join to the new game?
Team Create does have completely separate permission settings, which can whitelist groups, users, or roles. Definitely worth checking. Your live, production game should also never have Team Create enabled, if you build it in Team Create, it should always be in a separate place file, that the game owner then publishes to the live game place.
For the game devs: That guy “uui” in the video getting edit access… he shows as being “Elite Skater”, whereas most people in the group are just Skater. Has it be doubly and triply checked that this group has no elevated permissions, either in the group role settings or in the team create place settings?
Yes we have checked multiple times, they don’t have access in either place.
