As a Roblox developer, it is increasingly difficult to discover/remediate/patch vulnerabilities and exploits in our experiences. For every step we take to remediate/patch our experiences, the creators of these malicious tools are two steps ahead.
Previously it was easy to discover if your game had a module in it that was vulnerable (By searching for ‘require’ w/find all scripts, and seeing if there was unrecognized modules/asset IDs that were linked to external modules published to the Roblox website). Because of the nature of modules published to the website, you cannot view the source of these questionable modules, and how they affect your experiences.
As of recently, these bad actors have improved their methods to avoid detection. Using getfenv/setfenv, string concatenation, and other methods, they are becoming increasingly difficult to discover.
Even worse, if your game relies on 3rd party assets being inserted at the runtime (Such as loading models owned by the group owner of an experience into the game), it introduces another attack vector where malicious actors can insert scripts/modules into these models, which are impossible to detect until it’s too late (Unless you analyze the models by hand and in a non-runtime environment). Malicious intent by an internal party (Such as a developer who inserts malicious code willingly and intentionally) is seldom the case, as 3rd party plugins can insert modules/scripts into random models that are buried deep to avoid detection.
I propose that Roblox adds three features to Roblox Studio (And the runtime environment) to assist us developers w/closing off vulnerabilities + active attacks against our experiences.
- I request that Roblox add a feature into Roblox Studio that shows you what 3rd party assets are being utilized w/external resources (Either via insert service or require w/a 3rd party asset ID). It could be like the find-all feature, where it shows all external dependencies are being used, what asset ID is being used, and the full path of the script/module in question.
- There should be an option in Studio (Similar to how you can turn off HTTP requests) that blocks requiring 3rd party modules (Uploaded to Roblox) from being required from the website. An exception could be allowing modules uploaded to the website (For the owner of the experience/group that owns the experience), but in my opinion, modules w/packages would supersede the need for that.
- In the runtime (Server/client-side) w/the logs, I believe it would be wise to print in the output (As a warning, to easily identify the logs) if an external 3rd party module is being required from the website, and the source of it. The reason for this is so assets that are inserted in the run-time (Example being a 3rd party asset inserted at the game’s run-time) are able to be traced.
If Roblox were to implement even a fraction of these changes, I believe it would assist us developers w/protecting our experiences from malicious actors.
Thank you for taking the time to read my proposal, feedback is appreciated!