Someone leaked client IP addresses in-game

I’m aware this might not be the correct place to discuss this, but how did some guy manage to leak all client IP’s through Roblox’s in-game chat?

I was playing Trade Hangout when some guy joined and systematically leaked everyone’s IP address along with their location.

11 Likes

Well, you can get the Location from LocalizationService and they most likely had a SS crack and used a IP grabbing API with HTTPService

4 Likes

This is likely done though some sort of 3rd party “hack” rather than your typical exploit.
It would be best to report this to roblox via the appropriate method so that they can investigate this and ensure that is doesn’t happen again

2 Likes

well i saw a vermillion post with that exploit, saying the IP address was not real and its just random numbers; so i’m not really sure if its real but if it is i agree with what @FKAGamingDeOne said.

3 Likes

Theoretically you shouldn’t be able to IP grab from roblox as IP grabbing is usually done via malicious links and require a user to click said link and go to said site which then records your IP.
That said however exploiters are extremely clever and can often find a work around for things but then again it is still highly unlikely that they were real IPs and more of a troll scare tactic

1 Like

Are you sure that the leaked info was actually correct? Were yours at least correct?

Because it was obvious that the trivial screenshot that involved someone doing the same thing was fake. Anyone can stand infront of somebody, and yell a random location and IP.

Leaking the location doesn’t seem like a hard thing to do, leaking IPs though, that’s impossible, with common sense.

4 Likes

Can’t report it in-game, I just closed the tab when the guy leaked my location.
Not that the location really matters :man_shrugging: Though that has to be a security breach.

1 Like

well roblox does have access to user’s IP’s via a leaked screenshot from an admin panel hacker. this exploit could possibly be fetching info from the admin panel somehow; as i said i have seen a vermillion post saying the ip is randomly generated numbers, although the location is real i simply don’t have a side on whether it’s real or fake. i’m just trying to help the OP

1 Like

Like I said before, you can use LocalizationService to have the GEOLocation

1 Like

The location was correct.
Didn’t read the whole IP he posted, but the last part of it seems to be correct as well.

2 Likes

IP Addresses cannot be obtained by the client (nor can it be obtained by the server either), thinking that it can is pretty absurd!
The script is pretty simple, it’s just generating a random number and adding a couple of . here and there just to “scare people off”, the reason they’re able to get the location is due to Roblox replicating the location to other clients on player join.
They access a hidden property that’s obviously set to “Read-Only”, probably used for localization by Roblox core scripts.

You shouldn’t worry about people getting your IP through Roblox since it’s pretty much impossible, they’d have to get all the connections that are connected to that server (which they can’t), then they have to identify who’s who through the connection which again, they can’t.

Roblox is sandboxed well enough to basically stop around 100% of the people attempting what you just said :smiley:

10 Likes

Alright, thanks :wink: As I said, not sure if the IP was correct, though it did seem similar to the real one. Probably wasn’t though.

1 Like

This isn’t how Roblox Http requests work. HttpService only works on the server, and only leaks server IP addresses, not those of the clients.

7 Likes

Regardless, Roblox should fix the LocalizationService so it’s not publicly visible.

It’s not broken, although I agree there is a case to add a privacy option for that particular setting (along with OS Locale)

1 Like

I am aware that I’m a bit late at this point, but you can take a look at this script: (It only works on Synapse, not all exploiters use this one, but it’s a similar one) (Credits to CampfireHQ)

_G.a = {}
for _,v in pairs(game:GetService("Players"):GetPlayers()) do
  if v.Name ~= game:GetService("Players").LocalPlayer.Name then
   local Thing = game:GetService("HttpService"):JSONDecode(game:HttpGet("http://country.io/names.json"))
   local ParsedCountry = Thing[gethiddenproperty(v, "CountryRegionCodeReplicate")]
  local SayMessageRequest = game:GetService("ReplicatedStorage").DefaultChatSystemChatEvents.SayMessageRequest
SayMessageRequest:FireServer(
v.Name.." is from "..tostring(ParsedCountry).." ".."IP: "..math.random(1,200).."."..math.random(1,200)..".".."######".." ".."(IP: Successfully Listed)",
"All"
)
wait(2)
end
end
for i = 1,5 do
local SayMessageRequest1 = game:GetService("ReplicatedStorage").DefaultChatSystemChatEvents.SayMessageRequest
SayMessageRequest1:FireServer(
"IP Leaking Status: Working ⚙️",
"All"
)
wait(1)
end
wait(5)
local SayMessageRequest2 = game:GetService("ReplicatedStorage").DefaultChatSystemChatEvents.SayMessageRequest
SayMessageRequest2:FireServer(
"IP Leaking Status: Successfully Leaked ✅",
"All"
)

As you can see, they used math.random as well as fake tags just to scare people out and pretend it’s true. Only the country is real, but it really isn’t a problem if somebody knows your country, you’re not the only one to live in it.


EDIT: Basically, some people contributing to Synapse found a hidden property in the player. That hidden property was basically the Player’s location. So, the whole Synapse community started to have fun with that and scare other players. This exploit is brand new, that’s why it’s been used a lot recently.


EDIT AGAIN: It’s actually not a hidden property, thanks EllipticCurve_DHE.

3 Likes

That’s why I said an SS crack…

I saw recently that this has happened to a lot of people but for the most it seems that the ips that the bot says are randomly generated but the country he says is correct.

2 Likes

What exactly is a “SS Crack”? Can you please elaborate?

If you mean a “Server Side” backdoor script, such as one installed by a malicious plugin, then those would have no bearing on gaining the IP addresses of players.

If you mean a “Server Side” exploit, that could privilege escalate outside of Roblox’s script environment, these are not known to exist, and there has never been one to exist.

2 Likes

I mean, it’s not exactly hidden - it’s useful as detailed here: LocalizationService | Documentation - Roblox Creator Hub

3 Likes