generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
   
ROBLOX Forum » Game Creation and Development » Scripters
Home Search
 

Re: Seranok should be ashamed [INFORMATIONAL]

Previous Thread :: Next Thread 
ColorfulBody is not online. ColorfulBody
Joined: 17 Jun 2012
Total Posts: 2353
01 Oct 2013 01:06 AM
Seranok found a way to send a GET request to any URL on the Internet and, if the reply is in XML and corresponds to the right format (saying what format it is would give it away), to get the response. This made him able to set up a web server and to send requests to it with parameters in the URL. The server would then save the data, and then would return it in the response when another server would request another URL on the same server. Data could then be transferred from one server to another.

He was able to use this to create inter-server chat, which many of us saw a live demonstration of and which worked. He also wanted to use it for other things. It was leaked by Shedletsky, who either used Fiddler to find out or looked directly at the place file using his special abilities (which of those he did is not known for sure).

It turned out Shedletsky leaked the URL to the domain which corresponded to Seranok's web server. The domain had to be on the com TLD and its name had to end with "roblox" because ROBLOX did the filtering by only accepting requests to URLs in which the domain ended with "roblox.com", without thinking about the fact that other domain names could be registered that ended with roblox.com without being owned by ROBLOX (such as abcroblox.com).

One of the many reasons why Seranok should be ashamed is because his web server ended up not being very well protected, or in fact protected at all. The hierarchy was visible and so it was possible to explore the contents of the site, and someone found some code hosted there that contained the bug (exploit?) Seranok was using to send requests to that web server. It was leaked.

The server was very badly secured, such that RenderSettings has been able to upload files to it. He uploaded a PHP shell there and messed up the server, but what really annoyed Seranok is that his method for sending requests and getting the response had been leaked, meaning it would be patched.

He then started complaining about what Shedletsky and RenderSettings did, but he is the one who should be ashamed of himself for having a so badly secured website in the first place, for leaving the hierarchy visible, for putting the code on the website and for not using authentication from the games in which he uses the server to communicate with them.
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
01 Oct 2013 01:09 AM
because when exploiting a security hole, the most important priority is security
Report Abuse
MrgamesNwatch is not online. MrgamesNwatch
Joined: 02 Feb 2009
Total Posts: 7729
01 Oct 2013 01:19 AM
Ah, well isn't that exciting.

~The alpaca of the acting world.
Report Abuse
Maelstronomer is not online. Maelstronomer
Joined: 07 Jun 2008
Total Posts: 7649
01 Oct 2013 01:27 AM
So will Seranok's old loop-holes become an actual feature later? Or is basically nothing confirmed.
Report Abuse
Oysi is not online. Oysi
Joined: 06 Jul 2009
Total Posts: 9058
01 Oct 2013 01:32 AM
[ Content Deleted ]
Report Abuse
Seranok is not online. Seranok
Joined: 12 Dec 2009
Total Posts: 11083
01 Oct 2013 01:34 AM
I realized that there were gaping security holes in my website. I accepted the risk because no one knew about my domain nor would be able to figure it out without reading the source of server-side scripts. Shedletsky downloaded my place file, read the scripts, and leaked URLs from those scripts.

I do not care about the fact that my website was trashed. It had absolutely nothing worth protecting. I am upset because my method for performing HTTP requests was patched.
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
01 Oct 2013 01:35 AM
Don't cry Antoinette
Report Abuse
Oysi is not online. Oysi
Joined: 06 Jul 2009
Total Posts: 9058
01 Oct 2013 01:39 AM
[ Content Deleted ]
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
01 Oct 2013 01:40 AM
Bloccoism vs Oysism (Potatoism?)
Report Abuse
Seranok is not online. Seranok
Joined: 12 Dec 2009
Total Posts: 11083
01 Oct 2013 01:40 AM
How is this an exploit?
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
01 Oct 2013 01:41 AM
dat face tho
Report Abuse
Maelstronomer is not online. Maelstronomer
Joined: 07 Jun 2008
Total Posts: 7649
01 Oct 2013 01:47 AM
ex·ploit Noun /ˈekˌsploit/
A bold or daring feat


Seranok is brave
Joking aside I think the word exploit can change. Perhaps people think you did something unfair by using that loophole. Something something monopolizing.
Report Abuse
Oysi is not online. Oysi
Joined: 06 Jul 2009
Total Posts: 9058
01 Oct 2013 01:50 AM
[ Content Deleted ]
Report Abuse
Merely is not online. Merely
Joined: 07 Dec 2010
Total Posts: 17266
01 Oct 2013 02:26 AM
This thread borders on a personal attack/harassment. It's one thing to state that a person wasn't wise in a decision, but it's another thing altogether to call them out in a hostile and demeaning manner on the forums.
Report Abuse
Maelstronomer is not online. Maelstronomer
Joined: 07 Jun 2008
Total Posts: 7649
01 Oct 2013 02:39 AM
Yeah OP could have made this more informational and less personal.

- Seranok's place isn't here anymore because of this
- Shedletsky did this
- People reacted like this
- This could potentially this
Report Abuse
R8N is not online. R8N
Joined: 07 Aug 2013
Total Posts: 1164
01 Oct 2013 03:40 PM
roblox.com/Johns-Reaction-To-This-item?id=130759239
Report Abuse
ColorfulBody is not online. ColorfulBody
Joined: 17 Jun 2012
Total Posts: 2353
01 Oct 2013 04:02 PM
> This thread borders on a personal attack/harassment. It's one thing to state that a person wasn't wise in a decision, but it's another thing altogether to call them out in a hostile and demeaning manner on the forums.

That's not at all how it was meant to be interpreted. :o

> Yeah OP could have made this more informational and less personal.

What? I don't see how anything could have been made more informational. Read it again. The only single thing that is not informational in that post is the statement that Seranok should be ashamed.
Report Abuse
blocco is not online. blocco
Joined: 14 Aug 2008
Total Posts: 29474
01 Oct 2013 05:04 PM
oh christ what is this

i thought we were done with this

seranok never intended for it to go down like this man, he never knew shedletsky would give out his URLs willy-nilly
Report Abuse
blocco is not online. blocco
Joined: 14 Aug 2008
Total Posts: 29474
01 Oct 2013 05:27 PM
If you want my full unabridged philosophy on this matter, I will say that I believe Shedletsky is the main antagonist. His main offense is not being curious and looking at Seranok's place file, nor is it finding out how Seranok did what he did or even fixing the hole that Seranok found. No, his main offense is sharing Seranok's data with people who are technically unauthorized to see it. No, Mark (ColorfulBody), you cannot say that we are authorized to see all data on ROBLOX. The copylock is a tool used to prevent **unauthorized access** (i.e. access given without permission or authorization), and it is a tool used to imply ownership. Note that the copylock does NOT apply to administrators.

Assuming that places can contain data that is created by the place creator and unauthorized for others to see (copylocked), Shedletsky has access to this data and we all do not; Shedletsky can look at it all he wants. He cannot, however, share this data with us, because we are not authorized to have this data.

Shedletsky should have notified Seranok that he figured out his *modus operandi* and was working on a patch. Shedletsky should not have given to us Seranok's data. Seranok has paid money for the server, and spent time and effort figuring out how to do what he has done. His server (i.e. the data contained within it) has been ravaged (maybe too strong of a word, but I'm using it anyway), and would not have been ravaged were the URL never leaked. You may argue that since his server was not well-protected, [John Doe] had permission/a right to edit the files and/or structure of it. Well no. Permission/A right was not explicitly given, so permission/a right could not have been assumed.

Seranok did NOT leak the exploit in concern that we would use it malevolently and maliciously. Merely claims to have reported the exploit to administrators while he and Seranok were working at ROBLOX. Nothing was done.

1. Shedletsky should not have leaked the URL(s).
2. Seranok kept the exploit to himself for a reasonable reason.
3. Merely reported the exploit; action was not taken to patch it when he reported it.
Report Abuse
R8N is not online. R8N
Joined: 07 Aug 2013
Total Posts: 1164
01 Oct 2013 05:36 PM
^
tl;dr
Report Abuse
blocco is not online. blocco
Joined: 14 Aug 2008
Total Posts: 29474
01 Oct 2013 05:37 PM
^

1. thats
2. why
3. i
4. did
5. bullets
Report Abuse
Xnite515 is not online. Xnite515
Joined: 18 Feb 2011
Total Posts: 22763
01 Oct 2013 05:38 PM
won't this break his whole game now
Report Abuse
badcc is online. badcc
Joined: 18 Jan 2009
Total Posts: 3170
01 Oct 2013 05:46 PM
What's awesome is it still works! :D
Report Abuse
TheCapacitor is not online. TheCapacitor
Joined: 19 Jan 2011
Total Posts: 7045
01 Oct 2013 06:07 PM
Haha, he JUST figured this out?
Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Game Creation and Development » Scripters
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image