Presence API exposing what people are playing if their privacy is set to 'Friends', even if you are not friends!

Straight forward:

https://presence.roblox.com/v1/presence/users is exposing ALL game data of people with joins disabled, if it is set to ‘Friends’. You can see it even if you are not friends!

Going on a profile of someone with joins set to ‘Friends’ will show the game that the person is playing, even if you are not friends.
This allows anyone to manually join using the gameid exposed.

Note for people watching this: Join button will just say that user has left. It is only the presence API impacted. Join data is provided from this API, but it is not requested by the client.

This behaviour started recently.

Expected behavior

No game data should be exposed

This is what pops up when opening the page, I’m not sure if this is what’s supposed to show up, but I’m gonna assume that Roblox took action thankfully.

You need to do a “POST” type of request in order to use this link. Web browsers normally only use GET when you click on them normally. This seems to still happen and not fixed.

Thanks for the report, we’re rolling back a related change. Should be fixed shortly

Update: The bad change has been rolled back. We are no longer able to reproduce the issue on our end. But please do let us know if you are still encountering this issue. Thanks!