Potential DevForum Login Vulnerability


So as you may know, mine and pauljkl’s ROBLOX accounts were hijacked this week. Pauljkl and I chatted about this for a while and we came to the conclusion that we were possibly attacked by the same person.

My account was compromised on last Monday and Pauljkl’s last Thursday and here are the details:

  • My limited items were traded to T0WEL and Paul’s to AbstractMadness
  • The attacker bought AbstractMadness’ group’s t-shirt with my account.
  • My password and email were not changed but Paul’s were (My .ROBLOSECURITY cookie stolen, idk?)

  • We both only log onto devforums on our own computers and in secure networks.
  • We didn’t have any RATs nor viruses.

I don’t really know a lot about web security but Pauljkl thinks there is a vulnerability with the devforum login.

When Paul gets back, he’ll update with more info (probably).

1 Like

If they have access to your devforum account by spoofing a cookie or whatever, they only got your email.
(Along with all your settings, the ability to read your messages on here, post as you, …)
I can’t find anyway to login on the mainsite using the devforum.

@einsteinK If you’re logged not logged in on the main site, go to devforum and login, you are redirected to the roblox login page, login there and youre logged in on both sites.

What I am thinking is that both Trioxide and I have both been attacked by the same person.

Some other facts:

  • We both log into devforum every day.
  • We have both used 4G on android to access devforum in the past week.
  • Both of use have been unable to find any viruses, spyware or malware.
  • Trioxide and I are not in the same country so couldn’t be an insecure network?
  • Both attacks had links to AbstractMadness’ account yet both of us didn’t know AbstactMadness before this attack.
  • The email they attempted to change my account to was katiemuise420@gmail.com if anyone knows anything about this address

I would suggests a poison ban on his account. Might mean they will try to gain funds from selling the exploit on which leads to leaks and patches being made.

Do you guys use ROBLOX+ because recently from a few sources I heard that ROBLOX+ now asks for more permissions to your browser. That’s why I never used ROBLOX+ before I don’t trust it.

No, my chrome browsers are vanilla apart from adBlock

@pauljkl That really sucks dude. I hope both of you get back what you lost. :confused: Add my new skype account when you have the time please.

ROBLOX+ is not malicious. You can check the code yourself. If WebGL3D wanted to steal accounts, he would have already; which he has not.

1 Like

@Usering Sorry I don’t trust anything human made Kappa :stuck_out_tongue:

In order to change your ROBLOX account password the person MUST have access to:
A) your verified email
B) your current password

I was the web engineer who added the dev forum login integration. There is no real tie between your ROBLOX account and the Dev Forum. Even if someone could abuse the system and log into a Dev Forum account they don’t own, it would be impossible to use that to get into the user’s ROBLOX account.

While it is possible that this is an exploit in the ROBLOX website, I can’t find any evidence to support this.

Do either of you use the same password on any other sites that you do for ROBLOX (or for your email address)? Especially any ROBLOX-related sites. This has bitten a lot of users in the past.

If you do find more information, please let us know.

1 Like

The reason i suspect it was devforum was because i logged into devforum through the redirect when you press login the day before my account was compromised. Every other time i logged in it was through roblox main site and then the auto login on devforum.
I do not participate in any of the wider roblox community. Nor would i entrust a site run by a roblox user to have my email or a non-throwaway password

Like Merely1 said:

You login on the devforum by logging in on roblox.
Once you’re logged in on the forums, you can logout on the main site.
It’s a one-way login: Main site to the forums, not the other way around.

Maybe they guessed your password?
They could’ve also bruteforced the site, but that would be very difficult:

  • Login attempts per IP are limited
  • There are about 16^1093 .ROBLOSECURITY possibilities iirc

I have spoken with Buddyism about it and he explained something similar.
My password was 12 chars long which is an adequate strength against brute force. It has been changed since but I am unsure how they got in.
Just seems strange that both trioxide and I got attacked within a week

To the poison ban, you do realize that would kill any account they manage to get on, right?

1 Like

Belial52, PyroInfinity, and Refactor just had this happen to them as well. They all said they got tons of password reset emails prior to being locked out of their account, so perhaps it’s related to password reset emails. Belial52 and refactor both had their emails hijacked as well – the emails had different passwords than the accounts and weren’t obvious (i.e. belial52@gmail.com). All of them had ROBLOX+ installed as well if that makes a difference. So far it seems like everyone who’s had their account taken had ROBLOX+ installed.

Since you can’t access the dev forums when you don’t have access to your ROBLOX account, let us know all you can about what led up to your account being taken in the Skype lounge if this does happen to you. If you get your account taken over but don’t use ROBLOX+, that’s important info as well.

@EchoReaper ROBLOX+ is not a phishing extension- you can check the source code yourself. If you actually read the code, there is nothing that is sending account information to a private server- plus the creator even made it not work on the DevForum, Wiki and Blog (if I’m not mistaken).

1 Like

When’s the last time you checked the source code?

It’s changed recently.


[6:22:37 PM] Luke / PyroInfinity:it sends information directly to www.robloxplus.com


It’s not necessarily related to the dev forum.

It doesn’t send your password or .ROBLOSECURITY to the server, so there is no way the creator can steal your information.

I just checked the ‘content.js’ file in the extension and the only reference to robloxplus.com is to get the name of a YouTube video. In ‘preroblox.js’, it shows up 4 times; these are only to get access to certain APIs. Just look at the source code and see for yourself.

I have WebGL3D on Skype, after asking what some of API calls do, this is what he told me. (I also checked the source myself ok)

(keeping the main discussion on 1 thread)

If there is a login vulnerability here, then presumably you’re safe if you keep your devforum account logged in 24/7, and you’re not logging in on any new devices. I wonder if any higher-earning developers have initiated a devforum log-in in the past week or so, along with the people who have already been hijacked.

I’m not going to say that it’s impossible for these attacks to originate from the devforums, but why would these attacks be brought out on non-administrators? Surely, if someone has the means of stealing these accounts through the devfourms, they would also be able to take administrator accounts, which are highly valued.

There is no evidence of that taking place, which is why I’m speculating it doesn’t have to do with vulnerabilities on the devforums.