Report menu has vulnerability that allows accounts to be banned instantly

(post derived from this with the permission of the original post creator.)
((to clarify, I did NOT make this post, merely uploaded it into bug reports since the original OP couldn’t.))

"Unfortunately, there’s a brand new way to terminate any Roblox account with an open place. The last post that came from one of the individuals whose development team was affected was unlisted & closed, which is unfortunate, but I hope to bring light to this issue with actual “evidence”, if you can call heavily a blocked out (as precaution not to spread the exploit) screenshot evidence.

Today, two developers in a development team I actively communicate with were terminated for the same vague reason, with no further explanation as to why or how, the asset linked is simple a place name & place ID:

I discovered a piece of evidence that something like this DOES exist, so we don’t seem to be the only people targeted with this type of attack. The next image will be EXTREMELY censored to prevent showing what is done & how it gets the game deleted, as well as extremely crude language put by the exploiter. This relies on an external tool, but the method at its core is far too simple! I am baffled on how hard the client is trusted, for its information to be used without human checks to terminate an account. Remember the “Crosswoods” incident? Guess it’s the reverse of it.

I will not elaborate how to replicate this in public because this is EXTREMELY easy to perform and, therefore, very dangerous, but as a safety precaution - close your public places if you feel like you may be subject to this attack.
This needs to fixed REALLY QUICK as the word is slowly spreading around and the isolated incident could turn into publicly available information. Please, if you are a staff member, ask for all the information you need, I will provide everything known to mitigate the impact, as well as a list of the known accounts who had been affected by this."

Expected behavior

given a false report, moderation should check the actual game and not the screenshot itself, however because of this exploit/flaw within the reporting system, situations like this can arise.

A private message is associated with this bug report

This happened to a friend of mine several days ago. Woke up to a random account termination for Child Endargement. Thankfully he was able to appeal it, but he would have lost over 8 million.

can this effect any developer at any given time or just developers in a team?

If you get targeted by someone & have a public place, you very much so could get terminated. It doesn’t matter if you work in a team or not, hell, you could get terminated just by having your starter place open.

This is honestly scary. I hope roblox does do something about this soon.

from OP:
“It appears that the exploit got patched, the victims are getting unbanned upon appeal & a few tests someone conducted on accounts (not real people) have showed that the method no longer works”
no clue how long this’ll last or if it’ll even be a fix for the long run, but at least the victims now are being unbanned

Nevermind:
“I retract my claims - I received two claims of users getting re-banned after their appeals were accepted. This is ridiculous, there’s STILL a lack of response from staff & we can only speculate when it’ll get fixed.”
-From ClientCooldown (OP of original post)
jesus christ

Years ago when reporting started taking screenshots alongside reports, I literally said this exact issue was going to be a thing. Why is everyone acting like this is something new?

The only thing I’m surprised about is that it took this long for people to actually abuse this on such a large scale. Months at most I would have expected, but not literally years.

i am curious why exploiters dont use this to terminate bad people.

Even if some did, others would use it against people they dont like.

have u heard the tragic story of darth plagueis the wise?

is that starwars? if so ive never heard

Still occurring based on this post: Account Terminated, for no reason?

Stay safe out there y’all

what part of

DO YOU NOT UNDERSTAND??

the bigger problem of this is that how easy it is to do to anyone on the platform, due to roblox auto-creating a starter game on account creation

This seems to be spreading more as Roblox has problems to stop it, more people are getting banned.

Maybe instead of the client passing the picture that they took to be uploaded to the server, the client just passes their Camera’s CFrame to the server and the server takes a picture from that CFrame, of what it sees? Because of how replication works the server wouldn’t see the inappropriate things that the client inserted? But i’m sure that this could have more cons than pros as games with bad intentions could simulate this stuff purely through local scripts and get away with it because it’d be undetectable.

Still, the best way to probably patch this is to have somebody manually review the game for a few minutes to determine if theres anything inappropriate in it.

A good feature that may have to get toned down because of bad actors abusing it, such a bumer.

Funny, just a few days ago I posted how Roblox treats every script as valid and makes no attempt to differentiate a maliciously injected script from an actual game one. So bad that poorly made exploit scripts are treated the same as localscripts and flood error analytics. And now here we are where it’s being abused in real time. What happened to “don’t trust the client”? Seems Roblox engineers just assume malicious users don’t exist when they add ‘features’ like this. All it takes is just stopping to think for a minute “hmmm but how might this be used for trolling?”

Roblox needs to develop method of monitoring the lua environment and analyzing what should and shouldn’t belong based on pattern recognition and server replication. It’s far too easy to just inject scripts into the game. While this type of reporting feature might be nice in theory, it’s effectively useless when it’s so easy to exploit and manipulate the game once you’re in.