Script Injection Vulnerability

Hi developers,

We have recently discovered that some malicious Studio plugins are injecting scripts into hidden services. Because the services are hidden from the Studio Explorer, detecting these scripts is nearly impossible.

How to tell if you are affected

1. File > Save As… and select “.rbxlx” as the file format
2. Open the saved file using a text editor like Notepad
3. Search for “Backpack” and see if you find anything that looks like this:

<Item class="Backpack">
    <Properties>
        ...
    </Properties>
    <Item class="Script">
        ...
    </Item>
</Item>

If present, this indicates that a hidden script was likely injected into your place.

What to do if you are affected

We are working on a change where a script under a Backpack will only execute if parented to a Player or descendant of a service that executes scripts like Workspace or ServerScriptService. It is unlikely that this change will negatively impact your games.

We are working on a solution so scripts under Backpacks/PlayerGuis to only execute scripts that are descendants of a Backpack that is parented to a Player or descendants.

• Descendants of a service that executes scripts (e.g. Workspace, ServerScriptService)

We will release this change as soon as possible. If you want a solution in the interim, you have two options:

• Manually edit your place files to remove these injected scripts
• Use a developer-made plugin such as Christbru01’s Hidden Script Detector to remove these scripts. We have not tested any of these plugins so, if you choose to use them, you are using them at your own risk.

Long term, there are other things we plan to do in order to improve the security of our product:

• Add a Studio setting to make all hidden services visible to make it easier to detect similar exploits
• Rethink our entire plugin security model in order to ensure plugins cannot perform malicious actions like this without user consent

Let us know if you have any questions about this issue.

I have a lot of games so checking them all is going to be very tedious :<

I think if you check your most recently edited game if it’s infected. If not i think you’re safe. Maybe check 1 or 2 more for to be sure. Am not sure about this, it’s what i think.

If you have credible plugins that many people use, it’s unlikely that they are malicious. Just be cautious and aware of what plugins you download and understand that capabilities that they have upon downloading and installing them.

To clarify this, save the place as a “Roblox XML Place Files (*.rbxlx)”. The format stated above is XML, which is human readable, and will easily show if a place file has the injected. The default save format is binary.

Yeah I would say most of the plugins I have installed are pretty credible made by people I trust. I think I am safe.

I found code like this in multiple games of mine. Should I DM a list of the plugins I have, or would that not be useful?

Found this on my game , any idea what it did?

I think the front page of models is a big issue right now, everything on there is basically a backdoor. There are tons of “anti cheats” that all do the same thing, and people insert them into their games not knowing they are dangerous.

A friend of mine showed me that I believe, it gave certain people a GUI to run server or client scripts. I don’t know how effective it was, but I’m pretty sure that’s what it did.

Another side note : If you truly want to check if a plugin is malicious, you can always just view its source code and check for require(AssetID) or script.Parent=game:GetService(HiddenService)

Read about this and found it very interesting. Thanks for the explanation.

Just realized that the reason I have encountered these vulnerabilities is that I’ve installed fake copies of reputable plugins (that have seemingly been botted or something because they have a bunch of likes and installs). They seem legitimate but are not uploaded by the original creator. This seems to be a huge issue on the plugin library, after searching a few more plugins I have.
This wouldn’t be an issue if the sort/filter options actually helped, but using stuff like “Bestselling” and “Most Favorited” seems like it almost completely ignores the search you put in. Because of this, I have to rely on Relevance, and that option seems to almost certainly bring up fake versions of plugins.
Search seems to be a pretty significant factor in the usage of these malicious plugins, because I find it hard to believe I’m the only one in the same situation. It’d be helpful to have more options to sort plugins, or for that matter ones that actually work. Apologies if that sounded rude, that’s not the intention.

I’ve been careful to not download any fake versions, but I am curious to know just in case-do the fake plugins still work and look the exact same as the original?

Roblox should just allow command bars to view those services.
It’s pretty dumb that Roblox Studio trusts other people’s plugins more than it trusts Command bar.
Plugins can be edited by anyone, Command bar is yours only.

Definitely should be studio request.

I mean, it technically can. The intellisense autocomplete will show what services are present in the DataModel when you index the game variable.

As far as I know, Command bar can’t access services which are set to Plugin Security, making it impossible to clear them from command bar. I’ll try to find exact service in question.

The two fake plugins I ended up downloading worked and looked identical to the real versions. I wouldn’t be surprised if they just copied the plugins from the InstalledPlugins folder and added some malicious code in the background.

Command bar should honestly be right below COM scripts or above it even - kind of the same problem I see with Roblox blocking access to the local CoreGui - even though exploiters can get around this restriction and use it to their advantage since Developers cannot physically access the core GUI, making exploits very hard to stop if you want to take the more traditional route and block things at their source.

I don’t see any potentional security risk with allowing the Command bar to view all services, especially since savvy users can simply edit the ReflectionMetaData to get at services the CommandBar can’t access, not to mention said services usually auto-reset when the game opens or is ran.

Nevermind, after checking, it seems that all of those services are level 6, so even plugins can’t access them.
Although, still believe that Cmd Bar should be higher level than plugins.