So, I’ve had a bit of a boost in confidence with 2FA, but @DataSynchronized and I decided to test how much more secure we are now because of it. Turns out, not a whole lot, because one of the main attack vectors is still completely open.
Basically, the testing went as follows: I’ve enabled 2FA on my account, changed my password, and asked her to log in with that password. I received an email, and she wasn’t allowed in. Sweet.
Then I went into EditThisCookie and sent her the contents of my ROBLOSECURITY - which is one of the main attack vectors for account stealing, mind you - and after less than a minute she was logged in as me, completely bypassing 2FA and any other security measures in place on my account. Considering how easy it is for people to gain access to this cookie, I feel like we’re back to square one with account security.
The point is, if you can manage to get the cookie contents (as people have been doing for the longest time!), you can still get into someone’s account regardless of two factor authentication. There aren’t any measures in place to make sure that the cookie is bound to a computer or even a network. Why isn’t there a hash of the MAC or IP address in the cookie that prevents people from using it to get into accounts? What other measures can we take so that even if our cookie gets out, our accounts are still safe? We’re just as vulnerable as we’ve always been, even now that 2FA has finally been released.
Finally, a little disclaimer: I was fully aware of the risks of giving out my cookie and that I wouldn’t have given it to anyone else. I knew I could trust her and I’ve made sure my account is secure again after we tested this.
This isn’t really a bug. It’s always going to be a thing, and always has been. It has a lot of text to indicate that you shouldn’t give it to someone else, and at this point if someone does they’ve either been compromised in some other way or they’ve ignored ROBLOX’s warnings, which isn’t really anything ROBLOX can handle.
Not for certain. There are certain measures a website can put into place to prevent this, like the MAC/IP cookie that OP mentioned. If someone else tried to use your cookie, they’d fail. They could spoof your MAC/IP address, but that’s significantly more difficult than just having someone copy/paste the ROBLOSECURITY code to you.
Edit: If it’s hashed as OP suggested, I don’t think they’d be able to find out your IP/MAC address. They could of course tell people to send them that information as well, but people would start to get suspicious when they’re being asked to open the command prompt.
My website uses the exact same system as ROBLOX, however here’s where I fixed this issue.
I give you my login cookie. You set yours to mine.
You’re now technically logged in as me, cool.
The website checks if your IP is in your list of used IPs (roblox has a list of used IPs like me).
If you have never used that IP with that account before, the account is locked, and the user will encounter a “Verify Your Password” page. They must enter their password in order to gain access, in which the IP will be appended to the user’s IP list.
This means that if you log in with my cookie, and your IP has never used my account, you will encounter a “Verify Your Password” page before you have access to the account.
I imagine ROBLOX could implement a similar system as mine.
The only true downside is that if your IP changes often, you may experience this on a weekly basis, 3-day basis, etc.
Although, it only takes a few seconds to enter your password then you have access to the account until your IP changes again. Most IPs dont change that fast, though, from my experience.
If this was an option - what would be the harm? I’d rather be prompted to enter my password every couple of weeks rather than risk my account due to my cookie being hijacked. Just sayin’.
Edit: to test this, I offered PayPal money to anyone who could crack it. I supplied every single cookie my website had stored. Over a year later, nobody has been able to access my account yet. Access to this account would mean access to all the admin/moderator tools. Pretty enticing for people to try to breach it. I can happily say that nobody can with this system.
Doesn’t one’s IP change pretty often if they’re on mobile data (3G, 4G/LTE, etc.)? Way more often then a couple weeks, more like less than an hour if they’re moving around (walking, driving, or even just switching from LTE to 3G), right? If I recall correctly, that was the problem with an IP-based system last time this was discussed.
But ROBLOX is already geared towards constantly having a connection. You can’t even use Studio properly on an unstable connection, so if you’re on the go, you won’t be using it much anyways.
Two step verification is not a silver bullet which prevents all account theft, but it mitigates many phishing attacks where users enter their ROBLOX passwords into look-alike websites.
@TobotRobot tried tying .ROBLOSECURITY cookies to the IP they were created on but found that a device’s IP changes far too frequently, even for some desktop computers (not everyone has a static IP).
If you know how obtain a user’s .ROBLOSECURITY without asking them to copy the cookie and send it to you please let us know so we can patch it.
Users still have to copy it, but due to this a malicious website just has to say “Copy and paste this random code” without it being apparent that it’s .ROBLOXSECURITY.
Just to provide an update on this old issue—we are now rolling out enhancements to cookie security on web that should address the issue at the top of the thread.
Thank you for the original report and the keen observation about cookie security!