Vulnerability with Limited UGC Purchase Prompts // CSRF Vulnerability // Purchase Reversion Requested

There was a recent vulnerability with prompting Limited UGC purchases in games which allowed exploiters to prompt purchases from the client, resulting in the loss of Limited UGC copies for many creators.

The exploiters were able to trigger PromptPurchase from the client. This is furthered by the fact that in my experience’s logs we were able to see the exploiters triggering an endpoint that is on the MarketplaceService:PromptPurchase success callback.

This vulnerability was initially seen on March 30, and documented here:

I am knowledgeable that Roblox is aware of this issue, but want to open this lane of transparency, specifically to creators who’s items were affected by this vulnerability. Creators, including myself, lost UGC copies (that we paid to have uploaded to the site).

I have provided more specifics on who the exploiters are, which of my items were affected, and additional screenshots in the private comment.

Expected behavior

UGC Limiteds should only be prompted from the server, not the client.

A private message is associated with this bug report


There’s really no way to make earning UGC catalog items from server. If it’s better in the future, there will be a feature that allows granting users the items instead of using the prompt purchase methods.