Session sidejacking

I have reported some months a bug about the fact that ROBLOX is vulnerable to sidejacking. I think it is a very important issue, and since the bug has received almost no attention, I would like to bring some to it.

In addition to preventing telecommunications providers (ISPs, schools, etc.) from getting the data users send to and receive from a website, end-to-end encryption also prevents users on a same network from getting the data received by other users from websites (at least in a non-encryted form). When computers are connected on a same network, they all receive the data meant for each user of the network, unless the network is a wifi network using WPA or WPA2 encryption (this excludes all LAN networks, all wifi networks with no password and also all WEP networks with a password). This means that unless there is end-to-end encryption for a website, all users on a network can steal the accounts of other users using that website.

This applies to ROBLOX. I have created a Firesheep handler for ROBLOX (it is linked to in the bug report) which allows anyone on a family or school network to steal the account of any ROBLOX user who browses the ROBLOX website while logged in on the same network, at this very moment.

This means you can very well, if you so wish, install Firefox and the Firesheep extension on a school computer (neither requires admin rights) and add my Firesheep handler for ROBLOX, and you will be able to steal the account of any person at your school who logs into a ROBLOX account while Firefox is open, with a single click.

This will be possible at least until ROBLOX starts supporting end-to-end encryption on and all other websites where the session cookie (.ROBLOSECURITY) is sent. This means supporting TLS (HTTPS) with HSTS to force all connections to use it, at least once users have logged in.

Providing support for end-to-end encryption has many other advantages too, but the most important at the moment, I think, is that it prevents session sidejacking.

Just to give an idea of how important this issue is, think that any user at the previous BLOXcon, or ROBLOX Game Conference, or ROBLOX Rally, assuming public wifi was available and unless a password for a WPA/WPA2 network was provided to everyone, which I doubt, would have been able to steal the ROBLOX account of everyone who logged in at the event. That’s a lot of people; it includes employees, know users and a lot of other users.

Supporting end-to-end encryption doesn’t just prevent the NSA from knowing what users do on ROBLOX. It also prevents your school, family, government, ISP and many other people from knowing what you do and from being able to steal your account.

1 Like

I’m going to have some fun with admin/user accounts at the next maker faire


I have just learned that jobro13 has recently described the same concerns in another thread, which is however not as old as my bug report.

Everything said by jobro13 is right, but I would add that it is very easy to steal accounts with session sidejacking and that it does not require any knowledge. If you can install a Firefox extension and click on items in a list of accounts, you can do it.