[Ripull] Any place or model can be stolen on ROBLOX now. Stolen assets being sold on the black market.

[MrJimenex]

Post On Reddit By Ripull

Unfortunately, there has been a recent new exploit that has surfaced that allows malicious users to take any place or model, up to and including inactive places. This is not a geometry or local script stealer. This takes everything, up to and including assets within ServerScriptService and ServerStorage.

A thread posted on vermillion's website (which I shall not link) shows examples of copied places. The examples given were: Phantom Forces: http://puu.sh/jvcC1/8a49a54d29.jpg Apoc Rising Reimagined: http://puu.sh/jvcMt/6e112188d9.jpg Mad Games: http://puu.sh/jvcx9/f291ab71f2.png

There's not much information publicly available about this yet apart from this: http://i.imgur.com/4mnii9W.png

The users affected are everyone. Everyone is vulnerable to this and there appears to be nothing that can be done about it. Not even setting your game to a baseplate is meant to avoid this.

Also these assets are being sold on the black market for several hundred dollars per game. Use common sense and don't buy them if you're thinking of doing it. One can only imagine what is going to happen to people publishing/using these stolen assets once ROBLOX Corp. react to this.

There is currently no reaction from ROBLOX Corp. as this has occurred over this weekend.

Will update with more vulnerability information when/if it becomes available.

[The0neThe0nly]

No repro steps?

[Squidcod]

If there were repro steps I would greatly appreciate it if they were privately sent to an appropriate employee of ROBLOX and NOT broadcast in a public forum as with most high risk things like this.

Sending them to me would allow me to forwards the steps to the appropriate folks such as moderators, info@roblox.com, engineers and so on.

I am a valid person to send them to.

[MrJimenex]

Ask Ripull

[magiccube3]

Discoverer of vulnerability isnt releasing the method used to steal content.

Discovery and patch of exploit will have to be completely done on Roblox's behalf.

[chc4]

There's really no reason for this to be an issue on this tracker. It's not exactly a bug, and doesn't provide any information to the devs to fix it.

[MrJimenex]

Just leave it as a hole that ROBLOX have to patch up

[magiccube3]

Why is the issue re-opened?

[MrJimenex]

I accidentaly closed and comment.

[aemino]

This issue has already been fixed. Please close it.

[matthewdean]

Vulnerabilities should be sent to ConvexHero or emailed to info@roblox.com, not posted in a bug tracker.

[MrJimenex]

Sorry for the inconvenience, I was not aware of this.