Please fix Two-Step Verification

How are we supposed to investigate and fix this if we don’t know who your friend is.

2 Likes

Would guess its this person: https://www.roblox.com/users/12913712/profile

Sorry, i should have been more clearer. My friends name is Tiipot, but I only mentioned it once. Sorry.

Just asked her. Facebook was not linked.

There’s actually no way to tell if your account is linked to a facebook account

Do we even need it anymore?

Sorry I missed her username.

We can see Facebook link in our admin tools. She is not Facebook linked.

3 Likes

Then there must be a workaround with 2 step verification.

Im presuming that Tiipot wont get her items back, will she?

Could be that she was tricked into giving out her cookie. Ask her if she copied and pasted any codes from websites recently.

I can’t say if Customer Service will give her back her items or not.

This case has all the hallmarks of a compromised email account. A hacker gets into the user’s email account, then uses that to do password resets and 2 Step Verification. They delete the emails as soon as they get them, so the victim doesn’t even know what’s happening. This has happened to some very famous and savvy ROBLOX users, who did not have their email account locked down with a unique password and its own 2 Step Verification.

That is my theory in this case. Maybe I’m wrong. You can say we should “fix Two Step Verification” and make it stronger, but we can’t do that if there are no steps to reproduce the hack, pinpointing the problem. We do plan to offer an option other than email for 2SV code delivery that will prevent email account hacks.

10 Likes

I agree with ReeseMcBlox: there’s really nothing saying it was a fault of 2FA, while it does seem pretty indicative of an email breach.

I strongly recommend everyone gives their email some type of two-factor authentication, regardless of how secure you think it is without it.

She was just hacked randomly. R+ notified her when her items were taken.

Tiipot was the only person to sign in to her email, and nobody else has signed in since the 24th of October.

image.jpeg

So I have found o that tiipot was hacked because of the bloxcity extension.

Im now pretty positive that the loophole with 2sv is to do with the ROBLOSECURITY.

Will there be 2sv enabled if someone gets into your account through roblosecurity?

2SV is bypassed with cookies because otherwise every time you loaded a page you’d have to log in again. Cookies are what keep you logged into the site. The problem is that ROBLOX doesn’t verify that it’s you who’s using the cookie. They could check IP, but that changes too frequently on mobile devices, so you’d end up with the same issue of having to log in whenever you loaded a page.

Though, something that could be done is giving the IP a little wiggle room, so even if it changes, as long as it’s sensible, the cookie isn’t invalidated. If my IP geolocation changes from Atlanta to Atlanta, there’s a good chance that’s still me. If it changes from Georgia to Nebraska, that’s a red flag. I don’t know how feasible this is though – you’d have to ask @Seranok or @TobotRobot.

1 Like

If someone has access to your session cookie, say from a browser extension, they can perform whatever malicious actions right there in your browser. Don’t install extensions you don’t trust.

Trying to make sessions only work within a certain geographic proximity of the original session IP doesn’t seem like a good overall solution. If the restrictions are too broad then it’s a useless security measure, if they are too narrow then legitimate users get logged out.

It may be possible to securely pass a session from the browser to the client/Studio (say by redirecting a request to the custom protocol handler that ROBLOX client/Studio handles). The protocol URL would contain the secret session info and as long as JavaScript/browser extensions can’t figure out the URL, we could move away from our current system towards this one. But this would be an enormous engineering effort.

1 Like

Tiipot has recieved her items back. I greatly thank everyone for helping her out, much appreciated!

1 Like

Wouldn’t hiding something like that from JS be impossible?

1 Like

No, it wouldn’t be impossible. JavaScript has limitations on the response headers it can read and redirects are handled transparently.

1 Like

Even with webRequest?