And then we arrive back at the same “problem” you are trying to point out with email, only that SMS is likely far easier to breach than your email. Email is pretty easy to secure if you actually are concerned about security since they support things like Security Keys for account access.
Am I reading this right? If your email is compromised (and you’re using email 2fa) your account is gone with or without the one time code, they can just change your password.
To note, a malicious actor still needs to know (or guess) what one-time code you were sent. Yes, they can theoretically bypass passwords with this, but they still need to guess that code; which is seemingly a 6 digit code that has a lifetime of 15 minutes. The malicious actor also presumably doesn’t get clarification on whether the email even has a Roblox account, so they could waste time.
The rate limit is probably pretty heavy, but even then, a malicious actor only needing to guess 6 digits, and just retrying later if they fail isn’t really secure at all either. The code is certainly too short, and in my opinion, that is the true massive flaw with this feature; had the code been longer, we wouldn’t have this issue since it would end up being the equivalent of guessing a time-sensitive password.
As for the case where someone is already in your email, you’re already in massive trouble at that point. Someone can reset your password and effectively lock you out. This feature was presumably made to mimic the process of resetting a password, so it’s likely intended to match it:
In the meantime, if you are currently concerned about being hacked this way; hardware security key 2FA is probably your way to go. If that isn’t available to you, use authenticator 2FA. This feature shouldn’t bypass any 2FA flow except email. More importantly, you should ideally not use your Roblox connected email for anything, especially development related stuff. Not only does it open you up to this attack, but it also opens you up to more phishing attacks.
If this happens, it is a bug; email 2FA shouldn’t activate when using this feature.
I’m no security professional either so I may be getting stuff wrong here; take what I say with a grain of salt.
3 Likes
My goat KrimsonWolf back at it with another useless topic
4 Likes