There was a recent vulnerability with prompting Limited UGC purchases in games which allowed exploiters to prompt purchases from the client, resulting in the loss of Limited UGC copies for many creators.
The exploiters were able to trigger PromptPurchase
from the client. This is furthered by the fact that in my experience’s logs we were able to see the exploiters triggering an endpoint that is on the MarketplaceService:PromptPurchase
success callback.
This vulnerability was initially seen on March 30, and documented here:
https://x.com/Roblox_RTC/status/1774300470594474491?s=20
I am knowledgeable that Roblox is aware of this issue, but want to open this lane of transparency, specifically to creators who’s items were affected by this vulnerability. Creators, including myself, lost UGC copies (that we paid to have uploaded to the site).
I have provided more specifics on who the exploiters are, which of my items were affected, and additional screenshots in the private comment.
Expected behavior
UGC Limiteds should only be prompted from the server, not the client.
A private message is associated with this bug report