Vulnerability Disclosures
- Detecting Player Robux Balances
- CSRF in sending two-step verification message
- CSRF in group endpoints
- Injecting Lua code into game servers via Player.CharacterAppearance
- Detecting the existence of a given local file using path traversal
- ContentProvider vulnerable to path traversal attacks
- Using unmoderated game assets via asset handler
- CSRF in uploading assets
- Game server fork bomb
- Stealing a player's games
- Injecting Lua code into game servers using CreatePlaceInPlayerInventoryAsync
- Personal information disclosure via console
- Stealing a player's virtual currency
- Using unmoderated game assets
- Bypassing HttpService's rate limits
- Bypassing MAC address bans
- CSRF in changing group member ranks
- CSRF in email verification page
- Changing any user's birthdate or chat privacy setting
- Overwriting local files from Studio plugins
- CSRF in friend endpoints
- Reflected XSS in outdated JavaScript library
- Stealing the game server authentication key
- Creating a clan for any group
- Using unmoderated game assets
- Stealing the source of server scripts via HopperBins II
- Stealing a user's Robux from a Studio plugin
- Stealing the source of server scripts via HopperBins I
- Session hijacking in Studio
- CSRF in mobile site endpoints
- Unthrottled login endpoint
- Injecting Lua code into game servers using an unvalidated redirect and Player.CharacterAppearance
- Injecting Lua code into game client via querystring injection
- CSRF in reporting MAC addresses
- Uploading Luas as any user
- Persistent XSS in group admin page
- Persistent XSS in Studio's toolbox
- CSRF on sets page
- Fetch information from third-party website by bypassing filter
- XSS in About Me