The case to bring back private modules and how to do so in a safe and secure manner for all

What were private modules?

Private modules were a feature on Roblox that allowed developers to share their code with others on the Roblox platform in a closed-source manner. In essence, people could use someone else’s code in their experience without being able to read or edit the code, giving developers the ability to share their code with others without the possibility of it being pirated. This also gave developers a secure way to sell their code and services to other developers without the risks of leaking and/or piracy.

Why were private modules removed?

As illustrated by this thread, private modules were removed in February 2019 by Roblox citing security concerns. To paraphrase the official thread:

Private modules pose a serious risk because models can contain malicious code and developers have no way to audit the code. Additionally, the Roblox platform does not contain any sandboxing support so modules can do anything game scripts can do, such as writing to data stores or teleporting players to another game. Roblox has no protections in place for this.

Roblox removed private modules as they allowed for malicious code, such as backdoors, to run without the knowledge of the owner of the experience. In essence, the entire reason why private modules were removed is because they didn’t allow developers to have control over code they were potentially putting into their games. Whilst I can see how private modules caused issues when malicious ones were often hidden in items from the toolbox, I am still very critical of this reason to this day.

This is because I believe that if you are using third party assets, especially ones from the toolbox, it is of utmost importance and your own personal responsibility to check the code that you are using. If you were to see your experience as important and were to use a private module inside of its code, it would be your duty to check that it was from a verified and trustworthy source. Many people were able to check the code they used, and entire communities (as explained in the next section) relied on private modules to function. The idea of groups with thousands upon thousands of members essentially being punished for the negligence of a handful of people is undoubtedly unfair.

Why were private modules so important?

For many years, Roblox developers have sold their creations and services to other developers. These creators are arguably the backbone of the Roblox platform, as the majority of groups and experiences on Roblox are not run by professional developers that can whip up complete experiences worthy of winning a Roblox Innovation Award, or a Bloxy as it used to be called back in the day. This developer market on Roblox has allowed groups to flourish and create things such as roleplay experiences that otherwise would have never been possible. Platforms such as Clearly Development and this very forum allow these developers to market their services and creations in order to earn a living.

The majority of experiences on the Roblox platform are not run by experienced teams like those behind games such as Adopt Me or Dress To Impress; instead, the majority of experiences on the Roblox platform are run by enthusiasts who want to create a meaningful experience that they can enjoy with their community. Take the hotel roleplay community for example: at one point, this was one of the largest roleplay communities on Roblox. Hotel games would often make it onto the front page and would frequently have thousands of players at any given time. The vast majority of these hotels, including what were once the largest of them all, relied on something called CheckMeIn, a system used by group staff to check in regular players to their hotel rooms.

CheckMeIn was a paid system, meaning that groups that wanted to use it had to buy a licence to use it. The whitelist for the system relied on private modules, but once this feature was removed, the system’s whitelist was easily cracked and the system was pirated. Now, if you search the system up on the Toolbox, you will find a plethora of pirated copies, all with backdoors. This highlights another issue, theorised by ForeverHD in this thread all the way back in December 2018. In it, he states that:

Removing the ability for modules to act as proprietary software will greatly disincentivise individuals or teams from working on well-developed and reliable services. Instead, there’s a good chance we’ll see a rise in the proportion of knock-off models or poorly written services.

Forcing modules to be open-source will not stop malicious creators; they will simply target less-experienced users who don’t understand how to view or read the source code of these modules in the first place. This approach personally appears to damage a large number of legitimate services whilst doing little to creators with malicious intent.

ForeverHD ended up being correct. Now, networks like the Roblox hotel community are now basically dead, with groups with hundreds of thousands of users now inactive. A main reason why this is so is because developers have stopped producing assets for the use of other developers because the threat of leaking and piracy has become far too substantial. Communities that were once pillars of the Roblox platform are now either dead or rapidly in decline. If you search up CheckMeIn today on the Toolbox, you will find hundreds of pirated copies of it, all with backdoors. Not only does this violate the intellectual property rights of the original creator, but it also puts inexperienced and amateur developers wanting to start their own hotel group at risk. This is because the truth is that these developers often use assets from the Toolbox without possessing the scripting knowledge needed to check through their advanced code and know what everything means. Ever since private modules have been removed, we have actually seen the inverse of the intended effect.

Since private modules were removed by Roblox, we have seen more pirated copies with backdoors and malicious code pop up in the Toolbox than ever before: it is for this reason that Roblox was forced to add a feature that warns you when there is code in a model from the Toolbox. This problem isn’t just limited to CheckMeIn; in fact, the most prominent example of this has been the piracy of various admin systems such as HD Admin, which is used in games across the Roblox platform. There are hundreds of ripped-off copies of HD Admin on the Toolbox, all with backdoors. Nowadays, it is often hard to find the original. This highlights another issue which is that Roblox’s removal of private modules not only caused a rise in the abundance of piracy through the distribution of stolen assets and code plagued with backdoors on the Roblox platform, it also crippled developers’ intellectual property rights over their very own code and subsequent creations.

The removal of private modules made piracy so easy that it is impossible to control the spread of pirated code on the Roblox platform, especially when third-party platforms such as Discord and Guilded are used as hubs for leaking. This has disincentivised developers from creating assets and code to distribute on the Roblox platform because the threat of leaking outweighs profit and community benefit. This has not only caused the demise of certain Roblox communities, but it has also forced developers to use unconventional and often insecure methods in an attempt to protect their code.

The only somewhat feasible option Roblox developers have to combat the rise of piracy is obfuscation, but this has been easily cracked and is not at all a secure way of distributing code, especially with the rise of AI. Developers are often forced to pay for premium obfuscators, but even these are cracked on the regular. Moreover, Roblox essentially stabbed developers in the back by making obfuscation against Roblox ToS. This, paired with the impossibility of controlling the piracy of assets, makes developing community assets on the Roblox platform impossible, and highlights the need to protect control not just over things such as decals and meshes, but also over code. I should not be forced to open-source my intellectual property just because of the negligence of a few people to check their code, and the majority of the development community agrees: I have not seen one developer praise this removal, only lament the loss of private modules and the issues it has caused.

How do we bring back private modules in a secure and safe way for all parties involved?

Now that we have established why private modules were, and still are, such a crucial part of the Roblox platform, now let’s look at how we can bring them back whilst addressing and tackling Roblox’s security concerns head on. Bringing back private modules wouldn’t just stop piracy and the rise of more malicious backdoors, it would also restore intellectual property rights and give developers the opportunity and motivation to develop more assets for the community.

The main issue with private modules was that amateur developers who didn’t check third party code were unintentionally allowing malicious backdoors into their game. After speaking to Roblox staff about the issue, they said that private modules were “almost exclusively malicious content”, which I believe is a complete misrepresentation of private modules considering that they were used for things such as admin systems in virtually every Roblox game, but I digress.

To address the issues concerning private modules as outlined by Roblox, I propose a simple whitelist system, which eliminates the possibility for malicious backdoors from unknown third parties. In essence, for a private module to run in a specific experience, its ID would need to be whitelisted. This means that if you get a private module from a developer you trust, you can whitelist it and it will run, but if someone inserts a car with a sneaky private module from the toolbox made by hacker12345 and the private module isn’t whitelisted, unfortunately hacker12345 won’t be able to backdoor the experience.

This will not only bring back intellectual property rights to developers’ code, but it will also reduce the amount of backdoors in experiences; for example, if I wanted to use HD Admin, I would whitelist the private module from its trusted creator ForeverHD and not the private module from hacker12345. If I find that a private module does have malicious code, I would have the option to unauthorise it as well as report it. In terms of how this whitelist system would look, please see the Roblox Studio mock-up that I designed below for this explanation.

Concept for private module whitelist system in Roblox Studio.1920×995 109 KB

Conclusion

In conclusion, it is safe to say that private modules need to be brought back. Roblox has often emphasised that they value intellectual property rights, but the removal of private modules and their subsequent refusal for them to be brought back (I was told by Roblox that they “are enthusiastically never bringing it back”) gives us the impression that the opposite is true.

Whilst I understand the issue that Roblox wanted to fix, the removal of private modules was not like a cast to a broken leg; instead, it was more like a wet band aid found by a pool that fell off after a minute of being worn. The fix for the issue was rushed and not thought out well, and I hope that Roblox will review the situation for it is dire. The removal of private modules has caused a rise in piracy, the decline of intellectual property rights on the platform, a crash in the development of Roblox community assets, and an increase in backdoored scripts on the Toolbox: the direct inverse of what Roblox intended to do.

Whilst features such as AI-generated textures are cool, Roblox really needs to get back to basics when it comes to releasing (or in this case re-releasing) features for developers. Bringing back private modules, the framework for which already exists, would be a step in the right direction, and I’ve given them a way to do it that is secure and works well for all parties involved.

Feel free to leave your thoughts below and like this post. Apparently the feature requests category has been closed to new members, so I’ve had to put this here instead. Hopefully we can get Roblox to see it!

I don’t think I’m a huge fan of the idea of adding code that cannot be read to projects, but I will say that there have been recent updates that make Private Modules more feasible, such as the “Sandboxing” Seranok mentioned all those years ago;

How does every game using private admin systems have anything to do with their statement? Do you know for certain that the modules did not contain malicious code? What if the majority of private modules weren’t admin systems?

The great thing about private modules is that you were never obliged to use them. As you outlined, sandboxing helps with this issue, and addresses the security concerns that caused private modules to be banned. Many people create professional services or products for the use of the public, and they want their code to be private so that it can’t be leaked or pirated. If one is uncomfortable using a private module, they by no means have to use one and can use sandboxing to prevent it as well.

As for your point on admin systems, before private modules were removed, all admin systems (such as Kohl’s or HD Admin) used private modules to run. This is so that their admin system wouldn’t be pirated and then put on the Toolbox with backdoors. Nobody knows for certain that those admin systems didn’t contain malicious code, but I would trust that a product like HD Admin from a verified source like ForeverHD would not. You were never under any obligation to use these modules.

Now, you will find pirated copies of HD Admin with backdoors across the Toolbox. Moreover, it is worth pointing out that I never said that majority of private modules were admin systems, I said that practically every single admin system used private modules. Furthermore, as outlined by my idea, if you suspect that a private module is used for malicious intentions, you can always unauthorise it and then report it. If you don’t feel comfortable using private modules, don’t use them. The great thing with the method I outlined is that you have full control over if they can be run in your experience or not, but it is unfair to remove this feature when it was so beneficial to developers and many willingly used them since they trusted the creator of the module.

This is really interesting and encouraging to see, although the mention of the need to issue DMCA requests suggests that the code would be open-sourced. I would very much like to see Roblox add an opt-in private module feature as outlined in this post: it would eliminate the risk of unknown backdoors and allow the code from trusted developers to be used without the risk of piracy.

While I agree with the merits of having closed-sourced/proprietary modules, I am fully against bringing back private modules. In fact, I think Roblox should remove external module support entirely.

For one, external requires have terrible support. They can’t be type-checked, and they lose out on a lot of optimization opportunities. They also mess with the runtime in a way that clobbers tracebacks. Even if studio did something wacky like download the current module version to get type information from, that would require publicly exposing the source AST which defeats the entire purpose of it being ‘private’.

They are also quite unstable. Since your code is an asset on the cloud now, cloud failures literally prevent your game from running. This could be critical. Remember how loadlibrary would go down like every afternoon and games using it wouldn’t save properly?

There might be some way to make closed-source modules work, but it most definitely should not be done through the old private module system.

Whilst I hear your points, it is worth pointing out that bringing back private modules in this fashion would not in any way force you to use them. If you don’t want to use modules because there are multiple issues with them, you don’t have to, but many people do want private modules back and do see a valid use in them.

That’s not a very compelling argument. If the majority of people won’t use them due to poor tooling, then there’s no incentive to have them in the first place. Every feature has a cost and if only <20 people out of a thousand find it helpful than that’s not good enough.

Naturally, if Roblox were to bring them back, they would need to do some updates to them since Roblox has changed drastically over the years. The development marketplace is huge, and practically every single developer that sells their services laments the loss of private modules since they have been forced to open-source their code against their will.

Roblox needs to understand that there are marketplaces run by thousands of developers, with examples being ClearlyDev, Parcel, Vault, myPod, Packables, dotmarket, Vendr, and even this very forum. I know countless developers, including those who have made systems used by millions of experiences, that would use private modules in a heartbeat if they came back. Private modules need to come back, but as you rightfully highlight, there needs to be some serious work done to improve them if they were to make a return.

Moreover, if Roblox is truly planning on adding a proper developer marketplace to its platform, it will have to look at the needs of developers selling their code on the platform. No developer selling their code would want it to be open-sourced, and submitting DMCA requests over code is notoriously difficult since you never know for sure if it’s being used unless you have access to the suspected experience and the files are already leaked anyways. There is nothing stopping people reusing them under new accounts or secretly taking parts of your code apart.

It’s still a security risk for many games, and most people already moved on to obfuscators and sell systems that do not even use modulescripts anymore.

Your entire argument breaks right here, you say you want unreadable code, yet you say devs need to read code of assets they use first. Unless I’m missing something.

I do think a way to distribute private code would be neat, however, the inability to verify the contents of said code is something that is quite invaluable to developers. Unless roblox itself checks the code for you, I do not think this is a good idea.

I do think roblox automatically checking the code would be a decent idea, IF they didn’t use AI, which they would, so it all falls apart really. AI is good for checking things on mass but the “quality” of the checks is very low and surface level.

In reality it’s best to make your own code that fits your use case rather than rely on others. I get not everyone can do that, but having private modules only makes this worse. If there is a private module for everything there is no incentive for new devs to actually learn how to code themselves. Then you end up with a popular module that everyone uses, but oh no the creator hid a backdoor in it and now everyone who was using that module has to somehow replace it. but whats this? they don’t know how to code because they only use toolbox assets! Of course that’s unlikely but it’s still a possibility.

This is a really bad idea in every concieveable way.

What you’re proposing is essentially a GitHub where you cannot see the code you clone and run.

Regardless of the obvious security concern (this would be an open invitation for people to create server-side backdoors), I don’t think there’s any other respectable game engine I’ve seen that doesn’t let you view the source/inspiect the code of the thing you’ve bought and inserted into your game.

Except for the very niche use-case you mentioned (CheckMeIn), asset/code piracy on Roblox is practically non-existant, the issue you’re describing just doesn’t exist anymore.

Open-source code encourages collaboration from all sides who depend on that reliable service. A good example is how I’ve personally fixed & improved a lot of code from ContextActionUtility for my project’s use, which I plan to publicly release soon as it addresses a lot of the bugs the users had issues with.

I see no future where closed-source Modules could be feasable. Embrace open-source!

this will destroy script builder skids

10/10 needs to be added

The issue with obfuscators is that they can be cracked, and you cannot distribute such assets on the marketplace as it would break Roblox ToS I believe.

Allow me to clarify. When I say that developers should check the code they use, what I mean is that if they do not know that there are private modules in the code that they use from a developer they do not trust, that is their own responsibility. However, whilst that is my personal opinion, I recognise not all developers possess the skills or knowledge to do so. As such, I propose the whitelist system, which is an opt-in system that nobody is required to use if they do not want to, eliminating the potential for unintended private modules running in one’s experience.

With regards to your point about not being able to see the code making systems invaluable, I would wholeheartedly disagree. No software developer in their right mind would allow you to see their code unless it was open-source, and the same goes for the Roblox platform. If I am using code from a trusted developer, I would be content in not seeing the code. That’s why the whitelist system is such a good idea because it allows you to control whose code runs in your game. Evidence of developers being content in not seeing code can be found in the fact that thousands used systems like HD Admin when they were using private modules.

As for your point on “it’s best to just make your own code”, not all developers have the time or resources to do so. Many people sell their code and their assets and there is a reason why this market is so large and so active. Roblox is famous for being accessible to all, regardless of their knowledge when it comes to developing. As such, implying that you need to become a professional developer to make experiences defeats the whole point of Roblox: they might as well use Unity.

To call CheckMeIn a niche use-case proves a complete lack of understanding about a large portion of the Roblox platform. The vast majority of games on Roblox are not like Jailbreak or Adopt Me, they are often roleplay games run by enthusiasts who don’t possess the knowledge required to make everything they need.

This is why such large markets for systems for various types of communities exist on the Roblox platform, with examples of them being ClearlyDev, Parcel, Vault, myPod, Packables, dotmarket, Vendr, and even this very forum. ClearlyDev itself has faciliated a whopping $2,328,845 worth of sales. To see the thousands of products and services available on there and the thousands of sales done on these platforms and to say that it’s a “niche-use case” is pure fallacy. Just because you don’t use such marketplaces doesn’t mean others don’t, and the fact that Roblox is looking at making their own proves their importance.

Roblox clearly wants developers to sell their products and services because they want to encourage such markets. For this to happen, you will need some closed-source capability to prevent piracy. Many developers, including myself, earn our living off of providing our services to other developers: as it stands, I do not have the time to manage a full experience. I wish piracy was non-existent on Roblox anymore, but I can tell you from experience that it still exists. In fact, Vault has brought out a feature that alerts you of potential piracy because it’s just that much of a risk, so no, I’m not going to just “embrace open-source”.

The types of Roleplay games CheckMeIn would have been used for are not the “vast majority”, and even when they were more popular they still weren’t majority. Those sorts of Roleplay games on Roblox with high focus on interaction with receptionists (eg. Frappe, Bloxton Hotel…) were never the vast majority.

Just because you’re in the communities and mostly interact with them, it doesn’t mean they represent the overall Roblox playerbase.

You are frankly delusional if you’d rather put so many of the same roleplay games run by enthusiasts who don’t possess the knowledge required you pretend to care about on a massive security risk only to benefit a really small subset of the Roblox developer ecosystem.

As I’ve mentioned in my PM with you before, the only way for closed-source modules to even be remotely secure from pirating is if the only thing the cloud served to the studio client was the module’s bytecode.

Let me reiterate that this is impossible to do. The Luau compiler and VM are always changing to use different bytecode versions with different instructions, libraries and optimizations. There is simply no way to keep the cloud’s compiler and studio’s VM in sync.

For external modules to work properly, studio must be able to download the full source so it can compile and run everything correctly. Since the full source would have to be sent over the wire, stealing it becomes trivial. In fact, this was already possible with the old ‘private module’ system, and that was part of the reason why it was scrapped. It’s an inherently unsecure method of doing closed-source software.

I know you and an entire community would benefit from closed-source modules but understand that making it work in an acceptable way isn’t really possible. Even paid plugins today are facing issues with pirating because that’s just how Roblox is built.