So as you may know, mine and pauljkl’s ROBLOX accounts were hijacked this week. Pauljkl and I chatted about this for a while and we came to the conclusion that we were possibly attacked by the same person.
My account was compromised on last Monday and Pauljkl’s last Thursday and here are the details:
My limited items were traded to T0WEL and Paul’s to AbstractMadness
If they have access to your devforum account by spoofing a cookie or whatever, they only got your email.
(Along with all your settings, the ability to read your messages on here, post as you, …)
I can’t find anyway to login on the mainsite using the devforum.
In order to change your ROBLOX account password the person MUST have access to:
A) your verified email
B) your current password
I was the web engineer who added the dev forum login integration. There is no real tie between your ROBLOX account and the Dev Forum. Even if someone could abuse the system and log into a Dev Forum account they don’t own, it would be impossible to use that to get into the user’s ROBLOX account.
While it is possible that this is an exploit in the ROBLOX website, I can’t find any evidence to support this.
Do either of you use the same password on any other sites that you do for ROBLOX (or for your email address)? Especially any ROBLOX-related sites. This has bitten a lot of users in the past.
If you do find more information, please let us know.
The reason i suspect it was devforum was because i logged into devforum through the redirect when you press login the day before my account was compromised. Every other time i logged in it was through roblox main site and then the auto login on devforum.
I do not participate in any of the wider roblox community. Nor would i entrust a site run by a roblox user to have my email or a non-throwaway password
I have spoken with Buddyism about it and he explained something similar.
My password was 12 chars long which is an adequate strength against brute force. It has been changed since but I am unsure how they got in.
Just seems strange that both trioxide and I got attacked within a week
Belial52, PyroInfinity, and Refactor just had this happen to them as well. They all said they got tons of password reset emails prior to being locked out of their account, so perhaps it’s related to password reset emails. Belial52 and refactor both had their emails hijacked as well – the emails had different passwords than the accounts and weren’t obvious (i.e. firstname.lastname@example.org). All of them had ROBLOX+ installed as well if that makes a difference. So far it seems like everyone who’s had their account taken had ROBLOX+ installed.
Since you can’t access the dev forums when you don’t have access to your ROBLOX account, let us know all you can about what led up to your account being taken in the Skype lounge if this does happen to you. If you get your account taken over but don’t use ROBLOX+, that’s important info as well.
@EchoReaper ROBLOX+ is not a phishing extension- you can check the source code yourself. If you actually read the code, there is nothing that is sending account information to a private server- plus the creator even made it not work on the DevForum, Wiki and Blog (if I’m not mistaken).
It doesn’t send your password or .ROBLOSECURITY to the server, so there is no way the creator can steal your information.
I just checked the ‘content.js’ file in the extension and the only reference to robloxplus.com is to get the name of a YouTube video. In ‘preroblox.js’, it shows up 4 times; these are only to get access to certain APIs. Just look at the source code and see for yourself.
If there is a login vulnerability here, then presumably you’re safe if you keep your devforum account logged in 24/7, and you’re not logging in on any new devices. I wonder if any higher-earning developers have initiated a devforum log-in in the past week or so, along with the people who have already been hijacked.
I’m not going to say that it’s impossible for these attacks to originate from the devforums, but why would these attacks be brought out on non-administrators? Surely, if someone has the means of stealing these accounts through the devfourms, they would also be able to take administrator accounts, which are highly valued.
There is no evidence of that taking place, which is why I’m speculating it doesn’t have to do with vulnerabilities on the devforums.