NOTICE: I may of mixed the original word “TextButton” with “TextLabel” so keep that in mind as it was rushed.

Hello!

I am @thebigreeman, and I do a lot of insane HTTP service projects on ROBLOX and reverse engineering.

I have recently found a potentially dangerous exploit in studio that could allow the studio client to make web changes on create.roblox

And it is to do with how this game template is different to the others:

ritty1801×442 73.3 KB

Inside the game template, there is a certain instance which has a special property that cannot be recreated.

ritty1920×939 106 KB

All that this special property does is that it redirects you to a webpage which is a tutorial on how to assemble modular environments when you click on the TextButton.

howbadcanibe1920×959 454 KB

So, you may be wondering. Whats so dangerous about this one singular TextButton? I mean, how much harm can it REALLY cause to your account?

Flaw 1: Even though you cant recreate/clone it, you can still edit it like a normal TextButton and it will keep it’s special website redirect property

howbadcanibe1920×1080 1.35 MB

Flaw 2: The TextButton has an attribute that allows you to !!! CHANGE WHAT PAGE IT REDIRECTS TO !!!

howbadcanibe770×268 14.2 KB

howbadcanibe1918×1037 141 KB

Yikes…

Not only that, absolutely ANYTHING you type into this box regardless if it is a valid page or not WILL be concatenated with create.roblox.com

howbadcanibe768×49 4.23 KB

howbadcanibe1918×1041 101 KB

So, how can we lethalise this to our own malicious use?

On the lighter side, we can use this to possibly jumpscare our friends in TeamCreate if we felt like it

All information in this paragraph is a pretty far fetch and could probably not even be possible at all

Anyways, to end this off:

1: This exploit only exists in this .RBXL, so if you want other people to see it you either need to teamcreate or hand out the .RBXL file.

2: If you try to upload it, copy and paste, Drag or do anything to try and replicate it, the clone will lose its special properties and turn back into an ordinary TextButton again.

To ROBLOX staff or developers if they are reading this:

There is no need to remove this TextButton, but you need to make it so you can’t edit the Instance at all or at least remove it’s special properties when it has been editted.

I’m pretty sure most, if not all, Create pages are more “application” based instead of URL-based, meaning that you can’t perform an action like making a game private through a URL, it’s controlled through an API call in the JavaScript that’s embedded within specific management pages. So, unless I’m missing something, realistically all this could do is take you to the “Access” page of a game you own, but it wouldn’t be able to click the button to make it private (the URL would be: create.roblox.com/dashboard/creations/experiences/[...]/places/[...]/access).

Web browsers have to support GET requests to actually fetch the HTML contents of web page, but they also have to support all the other methods for the JavaScript embedded in those pages for API calls, but you won’t be able to use a URL for that as it’ll just assume you want a GET request, to, well, load a page. If you look at Roblox’s web API documentation, you can see how most “action” requests require a request type of POST, which browsers do not use when opening a URL.

This isn’t much of a security vulnerability, you’re confined within the scope of create.roblox.com, unless you could escape that I don’t see this as much of a issue and just a fun quirk.

Alright, I did a bit more research and I think I overeacted WAY too early.

1: The best you can do is really take someone to an access page but you cant actually control it.
2: Its practically the same as an < a > tag in HTML.

This could probably be used for more fun purposes like ive shown above.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.