The Developer Relations Team is reaching out to everyone here today to provide details regarding a recent incident on the Roblox platform. Recently, we discovered a vulnerability in one of our servers. While the issue was quickly patched, there is potential that your place, could have been impacted. We’d like to reassure you that we are working to mitigate any issues caused by this situation and taking the necessary steps to prevent an incident like this from occurring in the future.
The server was vulnerable on September 7th and 8th prior to the release of the patch. The purpose of this thread is to provide you with assistance regarding how to audit your Roblox place(s) to ensure you were not affected by this vulnerability. If any unintended updates occurred during the time-frame stated previously, please make sure to follow the instructions below:
Go to your Roblox place (Configure Place option) > Check Version History for the following date: 9/7/2017 or 9/8/2017.
Make sure to replace {assetId} and {versionnumber} with the appropriate values from your place (be sure to remove the { } characters as well). For example, to access the 2nd version of the place 1056525529: https://assetgame.roblox.com/asset/?id=1056525529&version=2
Going to this link will download a file with a name consisting of letters and numbers (it will look something like: “22d370cde5db2d073e4444168460068a”). This file is a copy of your place. Add the .rbxl file extension (and rename the file if you like). You can then open the file with Roblox Studio and check your code.
Please make sure to audit your place(s) for any recent malicious code changes that might have occurred during the cited time-frame. If you notice any differences we highly encourage you to rollback to an earlier state of your Roblox place before the date mentioned previously. If you have any further questions or concerns please reply to this email.
I assume people that didn’t get a mail (and have one (that’s verified) linked to their account) aren’t affected? (quickly took a look at my Develop page to see which places were updated since the 7th and checked their Version History, and it seems nothing got uploaded to my places, which is good)
I never gave an update because I wasn’t sure how public Roblox would be about this security issue. An exploiter updated Jailbreak with some code that inserted a module giving them a full access command bar in servers. We only caught this because they just happened to make a mistake. They accidentally deleted one character from our code which broke some in game items.
After investigating this with Roblox, and with us both blaming each other for the game being broken, we quickly discovered that it was a third party. Somebody had updated Jailbreak and it wasn’t us.
I have a lot of cleaning and game reduxing to do then; I am not scanning one of my primary development places however. When I joined the team to actually get hands-on access to the place, I ran a couple scripts in the command bar for debugging purposes and discovered the existence of 1.9K+ scripts with brutally inefficient code. We don’t update it anymore since it’s old and we’re looking for something new. Given the circumstances we’re in, I highly doubt our game was unaffected.
What I’m interested to know is why said individual or group of individuals seem to only have modified code for themselves, not to steal and leak games (yet). Leaving behind creepy messages too, surely gives me shivers.
