|
| 07 Jan 2015 07:09 PM |
I am frustrated -.- I am literally banging my head into a wall. Could you guys just take the 35 minutes to write up an ASHX web extension that can verify tokens that are provided by game server requests (Tokens of course would need created) But come on seriously, Nothing can be secure using http requests.
I hate to say it but anyone can spoof the place http requests. I honestly am trying to get this solved so that I can have my items secured before I start getting them out there more. If anyone knows this info: Type of database ASHX database connector used SSL library used (To generate sha256 hashes as validation tokens)
If anyone knows that I could literally write up in 15 minutes the ashx portion of it .-. |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 07:16 PM |
| If I don't get a resolve for this vulnerability then I will be forced to act in protest :( By demonstrating in video how easy it is to fake the requests. |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 07:23 PM |
| why not you actually speak English so 90% of us can understand |
|
|
| Report Abuse |
|
|
RBXChris
|
  |
| Joined: 05 Jan 2015 |
| Total Posts: 341 |
|
|
| 07 Jan 2015 07:27 PM |
| So how would users benefit using HTTPS for server requests? |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 07:28 PM |
or, you know, you could buy an ssl certificate and be done
@nteorvolri but then how could he flaunt his superior intellect? |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 07:29 PM |
@rbxchris
they wouldn't, really, unless they were using public wifi |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 07:31 PM |
"but then how could he flaunt his superior intellect?" you mean google |
|
|
| Report Abuse |
|
|
RBXChris
|
  |
| Joined: 05 Jan 2015 |
| Total Posts: 341 |
|
|
| 07 Jan 2015 07:34 PM |
they wouldn't, really, unless they were using public wifi
--
Is there anything valuable that is sent through the request though?
I mean unless you're sending/receiving something that is worth hacking (such as passes or payment information), what are the chances of someone in public wanting to hack on ROBLOX? |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 07:40 PM |
@rbxchris the only valuable information would be payment/user credentials (and user credentials are only necessary when logging in; otherwise, it uses an API token)
@op if you're so worried, get a VPN with your superior programming skills, it should be no problem ;) |
|
|
| Report Abuse |
|
|
GMANSTA
|
  |
| Joined: 26 Mar 2011 |
| Total Posts: 539 |
|
|
| 07 Jan 2015 07:40 PM |
@RBXChris
It's not really just that the problem. When connecting to a website, even in the same country as you, your connection may not be directly to the website - usually they bounce through a few routers first. However I highly doubt that it's possible to intercept traffic between these routers (I know some Network Security - but not sure about that being possible)
And as for running SSL in the first place, majority of transactions probably won't be happening in public places, unlike Paypal and other companies. Also the cost would be seen as unreasonable, and who knows what the performance may result in.
[FOR THOSE WHO HAVE NO IDEA WHAT THIS IS ABOUT]
Basically - SSL is a way of encrypted the data you send so that only the Roblox Server will understand, and not some nefarious criminal trying to sniff your data in the middle of the connection. |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 07:41 PM |
| Wow everyone completely mis understood this. Okay so your ingame http requests are insecure! I need a way to verify who the request are coming from you see? So therefor I am requesting that roblox make a "webpage" that can verify tokens that are appended to the ingame http requests. |
|
|
| Report Abuse |
|
|
| |
|
|
| 07 Jan 2015 07:46 PM |
| If a cross place store were made or any store for that matter where the info was stored on a webserver. I could easily spoof being a roblox server and write over all of their information. This is something I do not want. The RSA port I am working on for Lua right now won't even be any use because of how vulnerable roblox has the game environment (though I considered using their "secure" datastore for storing the private keys) |
|
|
| Report Abuse |
|
|
GMANSTA
|
  |
| Joined: 26 Mar 2011 |
| Total Posts: 539 |
|
|
| 07 Jan 2015 07:47 PM |
Exploiting via the In-Game Connection...
Hmmm... we got us a real hacker here lol |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 07:48 PM |
No it is more like using something like Fiddler to send a regular http request with a small header appended with placeid:#PlaceID
And boom whatever service that webpage was running for roblox is now thinking I am that place server making a request. |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 07:50 PM |
| See literally bashing my head into the wall here. I have something that is vulnerable because of this. Just get out if here if you are going to troll. |
|
|
| Report Abuse |
|
|
RBXChris
|
  |
| Joined: 05 Jan 2015 |
| Total Posts: 341 |
|
|
| 07 Jan 2015 07:50 PM |
"the only valuable information would be payment/user credentials (and user credentials are only necessary when logging in; otherwise, it uses an API token)"
--
I figured that would only be sent when buying something like BC or robux, which is in fact, using HTTPS.
--
"However I highly doubt that it's possible to intercept traffic between these routers"
--
My only question, which I suppose was answered above, was why would someone want to intercept traffic on ROBLOX anyways?
|
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 07:50 PM |
@justin7674 uh, I don't think they would want you to do that in the first place. also, it probably wouldn't work because you're trying to make cross-origin requests between servers. you can "spoof" a roblox server all you want, but you won't be able to change anything. |
|
|
| Report Abuse |
|
|
GMANSTA
|
  |
| Joined: 26 Mar 2011 |
| Total Posts: 539 |
|
|
| 07 Jan 2015 07:50 PM |
You should never have posted this
RIP Roblox
08/01/2015 |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 07:52 PM |
| You are all ignorant! Roblox has created a new service for use ingame called the HTTP service. They suggested it could be used for things such as building stores or even cross server leaderboards. However none of this is secure because anyone can fake being the server! |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 07:56 PM |
Why not add HTTPSservice?
TAKE DOWN STARBUCKS GROUP OR RIOT! |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 07:56 PM |
| http://wiki.roblox.com/index.php?title=API:Class/HttpService |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 08:00 PM |
@justin7674 i just read up on it (http://blog.roblox.com/2013/12/roblox-enables-http-requests-from-game-servers/) this seems like it will behave just like any other API it doesn't matter whether the request originates from roblox, your computer, or any other server. any site that secures its API well will have no trouble. most require documentation sent from the request origin; see authorization platforms like OAuth (https://en.wikipedia.org/wiki/OAuth). go ahead and "spoof" a server; unless you have the proper credentials for a request, it won't work. i don't see many real problems that could be created by the implementation of this feature. |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 08:00 PM |
| I am just waiting for the responses from the peeps who still think I am talking about the Roblox servers being vulnerable. No, the services using the HTTP Service that will expand upon the games is insecure because roblox has no source verification for their http requests. |
|
|
| Report Abuse |
|
|
|
| 07 Jan 2015 08:01 PM |
| OMG BOB LOOK. MY WEBSITE IS VULNERABLE THAT IS WHAT I AM SAYING. NOT ROBLOX. BECAUSE ROBLOX HAS NO METHODS OF VERIFYING WHO IS TALKING TO MY SERVERS!!!!!!!!! JUST LEAVE BECAUSE YOU ARE LITERALLY USELESS! |
|
|
| Report Abuse |
|
|