Restrict roblox authentication tickets functionality - make it safer by comparing user IPs

Recently, a new scam has become much more popular. The scammer says they’re graphic designer and asks you to generate a texture of your character. Obviously - everyone loves free things so a lot of people would do that without thinking much. But that’s natural and the point of this post is an idea about how to make it more secure.

Someone’s experience: Roblox Endpoint APIs Should Not Be Public

What does the scammer ask for?

The video shows how to insert run a javascript via your url bar. Given text put in browser url bar downloads and runs a script from another (scammers’) website. While the script does contain the actual good script (downloading character image), there is also the malicious part of it. Scammers often hide it by only displaying it if request contains appropriate headers indicating the request came from Roblox website. The malicious part utilizes rbx-authentication-ticket functionality. The ticket is generated on your PC (and since youre logged in, it becomes a ticket letting any person having it log in into your account even if it’s protected with 2FA).

But why does such feature exist?

The feature was made to make your life easier whenever you open studio with the website. The studio can’t access your website’s session, it needs a separate one. To always keep you logged in whenever you “Press” edit, one-time rbx-authentication ticket is generated and “sent” to studio with other information.

Whenever studio runs, it uses web api to exchange received one-time token for .ROBLOSECURITY token. The 2nd one is the one which tells what account you’re logged in. During this process, you’re not asked to provide 2 factor auth token. After exchange is completed, the one-time rbx-authentication-ticket isn’t active anymore. Imagine seeing it each time you open studio. It would be tiring, wouldn’t it?

But the point is… the api responsible for generating and redeeming the ticket isn’t much secured and that’s how scams like that are possible.

Involved APIs

https://auth.roblox.com/docs#!/AuthenticationTicket/post_v1_authentication_ticket
https://auth.roblox.com/docs#!/AuthenticationTicket/post_v1_authentication_ticket_redeem

So what could be improved?

While hiding an endpoint on documentation page won’t do much, I’d suggest to just check the IP during this process. Doing this might limit the feature for users who try to proxy particular apps, but I feel like this saves a lot of users from being scammed.

Simply
Along with the generation request, store the IP of origin. Whenever the redeem request is made compare the origin IP with stored IP which was used for generation. If they don’t match, invalidate the ticket without generating new session token. This would prevent remote servers used by scammers to receive stolen tickets from redeeming them successfully.

36 Likes

This issue needs to be addressed and this feature implemented. Even if there is another workaround for this, these scamming websites are just copies of each other and the creators of them are popping up like crazy with no knowledge of how this even works. With a weekend’s work you can find at least 10 of these with a quick google search and spend lots of time sending reports to take them down, but they just pop back up again. Roblox needs to address this issue themselves as some people are scamming 1M+ robux a day by deploying basic tactics to get users to execute JavaScript in the address bar. Comparing the IPs would force these scammers with no knowledge to find a solution that doesn’t involve authentication tickets.

This wouldn’t be too complicated to implement and roll out either since most of the work is probably already finished for a system like this. Roblox ASN blocking everything leading up to the scam is not going to stop the problem as there are plenty of ways these people can get around these blocks. There are also many people on Roblox that are always using a VPN to even be able to access Roblox, so they cannot simply keep blocking endpoints to solve their issue. This solution of matching the IPs solves more issues than it creates. It will stop alt generators who make accounts for people who are exploiting and getting banned from games and also stop people’s accounts from being compromised. There are very few use cases for this endpoint that this change would restrict. Users under the age of 13 don’t understand these risks and you cannot simply just educate them but you have to implement better security to stop these incidents from occurring.

7 Likes