Restrict roblox authentication tickets functionality - make it safer by comparing user IPs

Recently, a new scam has become much more popular. The scammer says they’re graphic designer and asks you to generate a texture of your character. Obviously - everyone loves free things so a lot of people would do that without thinking much. But that’s natural and the point of this post is an idea about how to make it more secure.

Someone’s experience: Roblox Endpoint APIs Should Not Be Public

What does the scammer ask for?

The video shows how to insert run a javascript via your url bar. Given text put in browser url bar downloads and runs a script from another (scammers’) website. While the script does contain the actual good script (downloading character image), there is also the malicious part of it. Scammers often hide it by only displaying it if request contains appropriate headers indicating the request came from Roblox website. The malicious part utilizes rbx-authentication-ticket functionality. The ticket is generated on your PC (and since youre logged in, it becomes a ticket letting any person having it log in into your account even if it’s protected with 2FA).

But why does such feature exist?

The feature was made to make your life easier whenever you open studio with the website. The studio can’t access your website’s session, it needs a separate one. To always keep you logged in whenever you “Press” edit, one-time rbx-authentication ticket is generated and “sent” to studio with other information.

Whenever studio runs, it uses web api to exchange received one-time token for .ROBLOSECURITY token. The 2nd one is the one which tells what account you’re logged in. During this process, you’re not asked to provide 2 factor auth token. After exchange is completed, the one-time rbx-authentication-ticket isn’t active anymore. Imagine seeing it each time you open studio. It would be tiring, wouldn’t it?

But the point is… the api responsible for generating and redeeming the ticket isn’t much secured and that’s how scams like that are possible.

Involved APIs!/AuthenticationTicket/post_v1_authentication_ticket!/AuthenticationTicket/post_v1_authentication_ticket_redeem

So what could be improved?

While hiding an endpoint on documentation page won’t do much, I’d suggest to just check the IP during this process. Doing this might limit the feature for users who try to proxy particular apps, but I feel like this saves a lot of users from being scammed.

Along with the generation request, store the IP of origin. Whenever the redeem request is made compare the origin IP with stored IP which was used for generation. If they don’t match, invalidate the ticket without generating new session token. This would prevent remote servers used by scammers to receive stolen tickets from redeeming them successfully.