So about an hour ago, my friend tiipot got hacked, losing about 50k rap. Although this is really unfortunate, there is a bigger issue: the fact that she had a really strong password and had two step verification enabled, yet she recieved no email.
She had previously recieved a rollback, but she is unable to do this now. If two step verification worked, then this problem wouldn’t have happened.
There is a loophole to get around it, and I have been looking for a workaround, but haven’t found it yet.
Attached below is a picture from tiipot’s emails that she let me use in this post, showing that she had no 2SV email.
Please increase the two step verification security.
I can’t say if Customer Service will give her back her items or not.
This case has all the hallmarks of a compromised email account. A hacker gets into the user’s email account, then uses that to do password resets and 2 Step Verification. They delete the emails as soon as they get them, so the victim doesn’t even know what’s happening. This has happened to some very famous and savvy ROBLOX users, who did not have their email account locked down with a unique password and its own 2 Step Verification.
That is my theory in this case. Maybe I’m wrong. You can say we should “fix Two Step Verification” and make it stronger, but we can’t do that if there are no steps to reproduce the hack, pinpointing the problem. We do plan to offer an option other than email for 2SV code delivery that will prevent email account hacks.
2SV is bypassed with cookies because otherwise every time you loaded a page you’d have to log in again. Cookies are what keep you logged into the site. The problem is that ROBLOX doesn’t verify that it’s you who’s using the cookie. They could check IP, but that changes too frequently on mobile devices, so you’d end up with the same issue of having to log in whenever you loaded a page.
Though, something that could be done is giving the IP a little wiggle room, so even if it changes, as long as it’s sensible, the cookie isn’t invalidated. If my IP geolocation changes from Atlanta to Atlanta, there’s a good chance that’s still me. If it changes from Georgia to Nebraska, that’s a red flag. I don’t know how feasible this is though – you’d have to ask @Seranok or @TobotRobot.
If someone has access to your session cookie, say from a browser extension, they can perform whatever malicious actions right there in your browser. Don’t install extensions you don’t trust.
Trying to make sessions only work within a certain geographic proximity of the original session IP doesn’t seem like a good overall solution. If the restrictions are too broad then it’s a useless security measure, if they are too narrow then legitimate users get logged out.
It may be possible to securely pass a session from the browser to the client/Studio (say by redirecting a request to the custom protocol handler that ROBLOX client/Studio handles). The protocol URL would contain the secret session info and as long as JavaScript/browser extensions can’t figure out the URL, we could move away from our current system towards this one. But this would be an enormous engineering effort.
