Recently, a new scam has become much more popular. The scammer says they’re graphic designer and asks you to generate a texture of your character. Obviously - everyone loves free things so a lot of people would do that without thinking much. But that’s natural and the point of this post is an idea about how to make it more secure.
Someone’s experience: Roblox Endpoint APIs Should Not Be Public
What does the scammer ask for?
But why does such feature exist?
The feature was made to make your life easier whenever you open studio with the website. The studio can’t access your website’s session, it needs a separate one. To always keep you logged in whenever you “Press” edit, one-time rbx-authentication ticket is generated and “sent” to studio with other information.
Whenever studio runs, it uses web api to exchange received one-time token for .ROBLOSECURITY token. The 2nd one is the one which tells what account you’re logged in. During this process, you’re not asked to provide 2 factor auth token. After exchange is completed, the one-time rbx-authentication-ticket isn’t active anymore. Imagine seeing it each time you open studio. It would be tiring, wouldn’t it?
But the point is… the api responsible for generating and redeeming the ticket isn’t much secured and that’s how scams like that are possible.
So what could be improved?
While hiding an endpoint on documentation page won’t do much, I’d suggest to just check the IP during this process. Doing this might limit the feature for users who try to proxy particular apps, but I feel like this saves a lot of users from being scammed.
Along with the
generation request, store the IP of origin. Whenever the
redeem request is made compare the origin IP with stored IP which was used for generation. If they don’t match, invalidate the ticket without generating new session token. This would prevent remote servers used by scammers to receive stolen tickets from redeeming them successfully.