Recent Roblox Security Incident

Hey Developers,

The Developer Relations Team is reaching out to everyone here today to provide details regarding a recent incident on the Roblox platform. Recently, we discovered a vulnerability in one of our servers. While the issue was quickly patched, there is potential that your place, could have been impacted. We’d like to reassure you that we are working to mitigate any issues caused by this situation and taking the necessary steps to prevent an incident like this from occurring in the future.

The server was vulnerable on September 7th and 8th prior to the release of the patch. The purpose of this thread is to provide you with assistance regarding how to audit your Roblox place(s) to ensure you were not affected by this vulnerability. If any unintended updates occurred during the time-frame stated previously, please make sure to follow the instructions below:

Go to your Roblox place (Configure Place option) > Check Version History for the following date: 9/7/2017 or 9/8/2017.

You can download the version history of your Roblox places by using the following link. This will help you analyze code changes by comparing the version history of any game updates before September 7th.
https://assetgame.roblox.com/asset/?id={assetId}&version={versionnumber}

Make sure to replace {assetId} and {versionnumber} with the appropriate values from your place (be sure to remove the { } characters as well). For example, to access the 2nd version of the place 1056525529:
https://assetgame.roblox.com/asset/?id=1056525529&version=2
Going to this link will download a file with a name consisting of letters and numbers (it will look something like: “22d370cde5db2d073e4444168460068a”). This file is a copy of your place. Add the .rbxl file extension (and rename the file if you like). You can then open the file with Roblox Studio and check your code.

Please make sure to audit your place(s) for any recent malicious code changes that might have occurred during the cited time-frame. If you notice any differences we highly encourage you to rollback to an earlier state of your Roblox place before the date mentioned previously. If you have any further questions or concerns please reply to this email.

Thanks,
Developer Relations Team

40 Likes

Thanks for letting us know!

1 Like

After receiving this email I noticed my place had been updated (not by me) and I found a one line change.

Thanks for the heads up.

2 Likes

kind of curious what that line was

23 Likes

Were inactive places affected?

1 Like

I assume people that didn’t get a mail (and have one (that’s verified) linked to their account) aren’t affected?
(quickly took a look at my Develop page to see which places were updated since the 7th and checked their Version History, and it seems nothing got uploaded to my places, which is good)

If it’s not sensitive info, what was the change?

1 Like

This is what broke Jailbreak a week ago. I made a thread about it here [Serious!] Jailbreak players cannot purchase items

I never gave an update because I wasn’t sure how public Roblox would be about this security issue. An exploiter updated Jailbreak with some code that inserted a module giving them a full access command bar in servers. We only caught this because they just happened to make a mistake. They accidentally deleted one character from our code which broke some in game items.

After investigating this with Roblox, and with us both blaming each other for the game being broken, we quickly discovered that it was a third party. Somebody had updated Jailbreak and it wasn’t us.

28 Likes

As far as we know, this only impacted active places; additionally, for the exploit to work the place had to have been reasonably popular.

4 Likes

Hah, I saw a bunch of people on Twitter saying this email was fake.

With that said, DO NOT share your place file hashes. If you share the hash, your place can be stolen.

3 Likes

The guy who hacked into my game was nice c:

I checked my game and no code appears to have been altered or added, beyond this comment.
Still, it’s a bit scary that they were able to do this.

13 Likes

Are our games compromised? @Nightgaladeld

1 Like

1 Like

Roblox+ blocks access to assetgame.roblox.com, and roblox.com/asset?id=

2 Likes

alright ill have to temp uninstall it
thanks for the heads up,

kinda worried lol there’s 2 edits on that day to my game

Why @WebGL3D? Is there a way to disable this in extension preferences without disabling the extension?

1 Like

It is probably to lower the amount of people stealing assets. Animations used to be able to be stolen as model files this way.

I have a lot of cleaning and game reduxing to do then; I am not scanning one of my primary development places however. When I joined the team to actually get hands-on access to the place, I ran a couple scripts in the command bar for debugging purposes and discovered the existence of 1.9K+ scripts with brutally inefficient code. We don’t update it anymore since it’s old and we’re looking for something new. Given the circumstances we’re in, I highly doubt our game was unaffected.

cc @doser225

Damn, this sound scary not even joking. I’ll be sure to check out my places to see whether they have been affected. Thanks for letting us know!

1 Like

What I’m interested to know is why said individual or group of individuals seem to only have modified code for themselves, not to steal and leak games (yet). Leaving behind creepy messages too, surely gives me shivers.

2 Likes