Vulnerability with Limited UGC Purchase Prompts // CSRF Vulnerability // Purchase Reversion Requested

There was a recent vulnerability with prompting Limited UGC purchases in games which allowed exploiters to prompt purchases from the client, resulting in the loss of Limited UGC copies for many creators.

The exploiters were able to trigger PromptPurchase from the client. This is furthered by the fact that in my experience’s logs we were able to see the exploiters triggering an endpoint that is on the MarketplaceService:PromptPurchase success callback.

This vulnerability was initially seen on March 30, and documented here:
https://x.com/Roblox_RTC/status/1774300470594474491?s=20

I am knowledgeable that Roblox is aware of this issue, but want to open this lane of transparency, specifically to creators who’s items were affected by this vulnerability. Creators, including myself, lost UGC copies (that we paid to have uploaded to the site).

I have provided more specifics on who the exploiters are, which of my items were affected, and additional screenshots in the private comment.

Expected behavior

UGC Limiteds should only be prompted from the server, not the client.

A private message is associated with this bug report

There’s really no way to make earning UGC catalog items from server. If it’s better in the future, there will be a feature that allows granting users the items instead of using the prompt purchase methods.

It seems like this form of exploiting the ‘PromptPurchase’ has returned in a different way. Several games are already affected from what I see, but Roblox hasn’t noticed this new exploit yet.

I was affected by these exploiters; they stole 200 out of the 300 copies I had of my limited item. A proof of what I saw about this exploit is in this tweet: https://x.com/xxineed69/status/1783208994729046332