Taking Control & Responsibility for your Account’s Security

KristinaMoment · March 7, 2023, 10:47am

What if an attacker uses your support to social engineer their way into your account? This is a major problem that has hacked multiple big devs and youtubers since around August 2020

KristinaMoment · March 7, 2023, 10:48am

Actually, parent pin is useful in the event of cookie logging or social engineered via support into account

They can’t change your password if you have parent pin on

buildthomas · March 7, 2023, 11:06am

Just double-checking, did you see the part in my post where I mention that a pin is trivially circumvented? It only takes 5000 web requests to bypass a parent pin on average. The attacker can do this asynchronously to you using the site (e.g. via a browser extension they can poll every so often until they find the pin) and then send the pin + cookie to an external location for malicious use.

Parental pin does absolutely nothing here in terms of true security factors.

Ask Roblox instead to make use of 2FA / physical key checkpoints more often across its services. For example, they could ask for 2FA before password/email changes, which would be miles better than the current pin guard.

KristinaMoment · March 7, 2023, 12:22pm

Is there actually no request limit

RadiatedExodus · March 7, 2023, 2:36pm

Developer Forum now uses OAuth to authenticate to Roblox, I suppose a way to fix that is to enforce 2SV on the OAuth grant page before it actually grants the OAuth token

Bobytoeburrito · March 7, 2023, 8:04pm

I got a banner notification telling me about this and a message telling me to enable it. Are these two meant for everyone or just people who haven’t enabled it? I’ve had the feature enabled ever since it became available, so I’m concerned that something may not be functioning as intended.

BigScriptus · March 7, 2023, 8:26pm

There is a request limit. If you get it wrong like 4-5 times you’re blocked from trying for a bit.

BigScriptus · March 7, 2023, 8:28pm

The more secure you are the better, that’s why I use security key and pin and a long password.

OneEDM · March 7, 2023, 10:10pm

Confused why I got this banner when I already have it enabled?

Seems sloppy to just send it to everyone instead of just targeting those who don’t have it on.

buildthomas · March 7, 2023, 10:23pm

That’s your prerogative, but the PIN here prevents nothing that the security key doesn’t already prevent.

This is not something that should be incentivized by the product design; keep security features as security features, and parental safety as parental safety features.

Not mix them randomly because this confuses users into thinking there is actually a security gain here (as evident from the fact that I need to keep replying to people who insist it actually has security value).

pluto1519 · March 7, 2023, 10:30pm

Hey! The message is shown to everyone as a way to encourage them to ensure 2-Step Verification via an authenticator app is enabled. If you have already enabled this, then you’re all set!

pluto1519 · March 7, 2023, 10:39pm

Hi there! Apologies for the confusion. The message is shown to everyone as a way to encourage them to ensure 2-Step Verification via an authenticator app is enabled. If you have already enabled this, then no further action is needed from you!

LittleWolfGX · March 8, 2023, 6:19am

Wow that awesome in case my email have problems with the 2-step verification I can use the authenticator of google but for now better if I control my account for security without robux that miss like the beginning of the 2023

lolmanurfunny · March 8, 2023, 9:17am

The two most common methods are probably:

Password guessing
Exfiltration of the .ROBLOSECURITY cookie ^{(colloquially called “beaming”)}

The first one is rather self-explanatory. The second one is commonly achieved through social engineering.

Some beaming methods are clever/creative; though, they all share a commonality in that they almost always start in ^{^{(often discord)}} dms- ending with the victim unknowingly sending a file containing their account’s cookie.

This is what a beam method looks like:

Convince them with a “large reward”. eg: 2k robux for a simple job
Give them an audio and tell them to inspect element
Tell them to press the “Network” tab + refresh the page
Tell them to right click the top result ^{*should be the audio’s url} and go to Copy → Copy all as HAR
Have them send it to you; download the .txt file
Search for their cookies by searching the neighboring keywords “roblosecurity” or “warning”

Watch out for the slimy people out there..

Kiesere · March 8, 2023, 9:36am

At the very least it would have been far better to include a notice such as: “Ignore if you already have 2SV enabled.”.

By sending the alert to everyone it potentially incites the following:

Confusion (is this a bug?)
Worry (has my account security been breached?)
Paranoia & mistrust (is this security feature even working?)

Anything regarding security needs the utmost care and I would expect nothing less.

Aeplexi · March 10, 2023, 6:14pm

Removing rollbacks is crazy, this company always gets worse and worse.

Crazedbrick1 · March 10, 2023, 10:52pm

I may have missed something, but where in the post did Roblox say that they were removing rollbacks?

BullfrogBait · March 12, 2023, 3:39am

In the linked Help page, there’s only one paragraph regarding rollbacks.

This isn’t sufficient. There’s no definition of what these limited circumstances are and that’s dangerous. There needs to be a page dedicated to rollbacks or at least a section describing what these circumstances are.

Any developer or player with value is now stuck questioning what these circumstances are and if they’re safe if they get compromised and that’s a little bit scary. The only way to piece together what these circumstances are is by listening to other players which isn’t good enough, it should be on the help page, not only known by a few individuals.

Please list requirements to receiving a rollback. Don’t add more stress and anxiety to developers that fear getting compromised.

(Interesting how Roblox sent a message regarding 2FA as a requirement for rollbacks but it’s nowhere to be found in that paragraph for “limited circumstances”.)

buildthomas · March 12, 2023, 3:16pm

What’s the point of describing the circumstances? Generally speaking, victims do not control the circumstances under which they are compromised after the fact…

The current writing is fine. It incentivizes users to look out for their account security. Not like “oh, if I get compromised I can get a rollback anyway if it’s my first time, so I can be loose about it”.

Being compromised is not like some magic spell that you cannot avoid. Most if not all compromises happen because of the victim running malicious code on their own device (browser extension, script, etc) or because of a social engineering attack (clicking on links in emails, giving in to “urgent-sounding” messages without validating independently the claim is correct, accidentally giving out personal information online, etc).

BullfrogBait · March 12, 2023, 6:02pm

These circumstances are what Roblox looks for before you were compromised. Listing what’s required and recommended for rollbacks incentivizes all users to follow them.

It feels like a punishment (on top of being compromised) when you ask for a rollback, but they say no because you didn’t follow hidden rules.

I don’t think withholding information is an attempt to make users look out for their account security. That feels lazy.

If they listed the requirements for a rollback, such as needing 2FA, and developers followed that, that would automatically make them not “loose” about it. If they listed another requirement, which is most likely only one rollback per person, they wouldn’t be anywhere as loose as you’re suggesting.

Nobody intends to be compromised.