The thumbnails of moderated assets are accessible via Open Cloud and the in-engine rbxthumb://. This renders decal/image moderation useless, as it can be completely bypassed (at least for 180 days since moderation).
assetdelivery.roblox.com/v1/asset?id={id} returns code 403 create.roblox.com/store/asset/{id} returns code 403 thumbnails.roblox.com/v1/assets?assetIds={id} returns code 200 with an image URL rbxassetid://{id} does not load the decal’s image rbxthumb://type=Asset&w=700&h=700&id={id} successfully loads the decal’s thumbnail
Expected behavior
The thumbnails of moderated assets should not be accessible.
For moderated assets, the Thumbnail API will return a 200 status code, but the thumbnail image itself should be a “blocked” placeholder image. Could you let us know if what you’re seeing is that blocked image, or the actual thumbnail of the moderated asset? This will help us understand the situation better.
The example I sent in private information now has the “Blocked” state on the thumbnails API.
However, the issue still does not appear to be fixed.
Edit: I’ve updated private information to include a different (but similar) asset.
Is it possible that the cached 180 day thumbnails are not deleted/cleared after moderation?
@BLRbx88 The scope of this issue was underestimated. Thumbnails of moderated decals are also available/loaded in-engine.
I have updated private information with an updated decal, alongside screenshots of the thumbnail loaded in-engine.
Has this been fixed? I attempted to reproduce by reporting a decal, and checking the thumbnail, and it was successfully blocked.
Seems like only the pre-fix 180-days thumbnails are remaining…?
While it appears that newly moderated assets now correctly update their thumbnails, (some) existing (extremely NSFW) thumbnails of moderated assets still work.
Can I manually pass these on to get them prematurely cleared/removed?
Hi,
Apologies for the delay in getting back to you and thank you for your patience.
I’ve reviewed those cases together with our safety team, and it appears that the issue was caused by a gap in the moderation pipeline that allowed some assets to appear without being properly reviewed. The responsible team is already aware and actively addressing the problem.
As for why the Asset Delivery API returns a 403 while the Thumbnail API does not — this is due to additional user authentication checks on the Asset Delivery API side. It’s not related to moderation status. Since many thumbnails are publicly accessible, the Thumbnail API does not require the same level of user authentication and will not display any images from moderated or restricted assets.
Also please feel free to share those thumbnails to us, we’ll make sure they are handled appropriately.
If there are moderated assets (decals/images) that are still available via the thumbnails API, how can I get these ‘fixed’?
Can I directly message these to you?