Spending another player's Robux balance on badges

Recently someone brought up to my attenton that you can spend other users’ Robux balance.

Suggestion I have for developers: remove everyone’s access from your games right now

**Browser Information:

• Alt account: Edge 126
• Main account: Chrome 126

Page URL: https://create.roblox.com/dashboard/creations/experiences/

Link to the game I tested the bug on: testing badge game - Roblox

A private message is associated with this bug report

Edit: Removed steps on how this method works, to prevent people exploiting it. Explaination is in the private message

this should be patched as it could easily be abused and there wouldn’t be any refunds given by roblox if someone were to do this!

Zero day vulnerability dropped.

This may get abused by people who sees this before this is patched. And, you probably could’ve made money if you reported this to Roblox’s Hackerone Bug Bounty Program.

??? This is absolutely game breaking.

I don’t understand how it works that much but this 100% would need to be fixed, that’s an insane discovery.

Wow, interesting discovery! I’m sure no one will abuse this now that this vulnerable knowledge is on a public forum!

I reported this a long time ago through @Bug-Support, and they were looking into it.

IMG_54722019×1854 1.23 MB

This isn’t an exploit, but an overlooked issue on Roblox’s end. I was told to create a report, but they said that almost 2 years later which is when I was already uninterested since someone else was “looking into it” already.

Thanks for letting me know, I had no idea that this was reported before as it seemed like a very obscure bug but hopefully, there’s gonna be more attention now into this and will get the roblox engineers look into this again and make some patch to this.

To abuse this, you would have to have tricked someone into giving you Team Create access under their user’s game, which is very hard to do and has very little attack surface.

Now that this is public knowledge, it’s even less likely a bad actor will be able to trick someone.

Checking every game I have and removing people from team create now that this dropped.
Why has Roblox not done anything despite knowing about this vulnerability for years?

Roblox has tons of vulnerabilities that aren’t resolved because they quite simply, don’t care.

Great example: the Crosswoods incident. This game exploited a feature to make people send messages they never sent and get them terminated from Roblox. Roblox already knew about this issue before but they didn’t even try to resolve it.

Uhh, this isn’t really Public knowledge. Even if you have team create you shouldn’t be able to exploit badges in a way like this, and it could cause a ton of problems…

Hey @ahrielia - gonna mention you on this one since I’m aware you work in this field

Yeah I’m looking into this now. (I promise)

This bug was reported to me by @CamIsYolo & discovered by @luckyto_shine.

I’ve discovered this bug in March 2020 and it still is around… I’ve wanted to report this bug for many years and couldn’t. Ugh. Thank you for this post. I’m glad this severe bug can finally be fixed.

The fix for this bug has been pushed. If you have collaborator/Team Create access to another user owned universe and try to buy a badge it will charge the requestor’s userId rather than the universe owners userId.

All other badge purchasing behaviours should be the same. Thank you so much for raising this issue up again. Please let me know if you encounter any weird behaviours.