Vulnerability with Rights Manager/DMCA Process allows false DMCA claims

Post rewritten to add clarification upon new updates to the issue.

There have been multiple leaked methods of exploiting vulnerabilities within Roblox’s DMCA process through emailing copyright-agent or using Rights Manager.

These processes involve downloading the mesh of whatever asset you plan to steal and performing varying steps in order to trick the Rights Manager or whoever/whatever manages DMCA claims to believe the stolen asset is the ‘original’ in some way, shape, or form.

More details are included in the Private Message in order to prevent spread of these methods, however these methods of abusing the vulnerabilities in the DMCA process are public and have been used to permanently ban 3 Roblox accounts as of this post’s edit date.

This vulnerability is risking, and has risked, the livelihood of every user on Roblox, especially those who rely on the Marketplace for their income/career.

05/22 Update: The method utilizing the Rights Manager seems to have been patched, however you are still able to claim false DMCA strikes using Roblox’s copyright_agent email address using the same steps as listed in the private message.

05/22 Update 2: It seems that most of the methods in the private message have been silent patched. There is no clear indication of whether or not utilizing separate domains to host stolen assets is patched or not. Any response will be appreciated!

Page URL: https://create.roblox.com/dashboard/rights-manager

A private message is associated with this bug report

Original Post

A recent vulnerability with the Rights Manager allows anyone to falsify DMCA claims. Specifics are listed under the Staff Only section to prevent spreading the method.

This exploit can completely destroy the livelihood of many users on the website that rely on the Marketplace as their career. This exploit can also be used to target certain individuals, like Star Creators, and prevent them from uploading anything publicly on the Marketplace.


Update: A new vulnerability has been found that affects Roblox’s DMCA process as a whole.
More detail is listed in the private message. So far, there are at least 3 users affected by these 2 vulnerabilities.

Update 2: Another similar vulnerability has been leaked. Details are in private message.

In general, the DMCA process seems to be heavily flawed and requires a ton more detailed checks before making decisions, whether or not this is facilitated with AI or human intervention.

9 Likes

This is just an acknowledgment announcement!

We’ve filed a ticket into our internal database for this issue and will start investigating, we will update you when we have further information.

Thanks for flagging!

3 Likes

I first want to state that I’m glad Roblox was able to work on patching these methods during the week of this initial bug report.

However, I’m hearing word that this vulnerability exists once again. Specifically, the ‘override’ method as stated in my private message.

Could you, or any other staff member, be able to confirm this? Hopefully it’s patched and there’s been some mistake.