mew903
|
  |
| Joined: 03 Aug 2008 |
| Total Posts: 22071 |
|
|
| 12 Jul 2012 10:17 PM |
| I don't see why it would be a big deal. |
|
|
| Report Abuse |
|
|
gokoolaid
|
  |
| Joined: 22 Apr 2009 |
| Total Posts: 2361 |
|
|
| 12 Jul 2012 10:19 PM |
Because you can do some pretty undesired things with them. People here are crafty, and that would allow the game to communicate outside of ROBLOX 'owned space'
|
|
|
| Report Abuse |
|
|
mew903
|
  |
| Joined: 03 Aug 2008 |
| Total Posts: 22071 |
|
|
| 12 Jul 2012 10:25 PM |
| Well couldn't they work the method to where they can only communicate with roblox owned servers? |
|
|
| Report Abuse |
|
|
Quenty
|
  |
| Joined: 03 Sep 2009 |
| Total Posts: 9316 |
|
|
| 12 Jul 2012 10:27 PM |
What if you used HttpGet() to download a virus to everyone's machine through a hack and a cloning of a local script into every player's 'PlayerGui'?
Yep.
I'm glad ROBLOX locked that one. |
|
|
| Report Abuse |
|
|
mew903
|
  |
| Joined: 03 Aug 2008 |
| Total Posts: 22071 |
|
|
| 12 Jul 2012 10:29 PM |
@Quenty Can you even access someone's machine from in-game? Also, like I said, roblox could make the functions work to where they can only reach data from roblox's online servers. |
|
|
| Report Abuse |
|
|
gokoolaid
|
  |
| Joined: 22 Apr 2009 |
| Total Posts: 2361 |
|
|
| 12 Jul 2012 10:31 PM |
Hmm... I don't think so... you use to be able to get IP's until they updated that.
But hey, people are crafty, but those methods will stay locked, and honestly, that's how I like them. If you wanna access ROBLOX stuff, there's methods for that. |
|
|
| Report Abuse |
|
|
Quenty
|
  |
| Joined: 03 Sep 2009 |
| Total Posts: 9316 |
|
|
| 12 Jul 2012 10:42 PM |
I just explained how. You insert a local script into their player GUI, using a corescript, you got from .dll injections.
Since HttpGet() just loads a page, it'll load a virus...
Furthermore, HttpPost() could be used to send information from the player's input (Even by accident) to your own server, personal information put into the game without them knowing it could be replicated (Hey, 10 year olds are ignorant!).
I like it how it is.
Period.
Also, you can do....
for i=0, math.huge() do HttpGet("http://www.roblox.com") end
Thus crashing ROBLOX! Or they could run a script that removes all your hats.
People might also try....
HttpGet("javascript;")
Or even more stuff.
Let's just say, there are many ways to exploit it.
|
|
|
| Report Abuse |
|
|
|
| 12 Jul 2012 10:48 PM |
With the old HttpGet, you could get anything. Including executables, illegal videos (if you know what I mean...), keyloggers, trojans, etc....
Remember when there was that virus outbreak in the ads here a couple of months ago? They nearly got sued for that.
Now, imagine if there's a guy with a good thousand dollars stored on his CC. He has a kid who plays ROBLOX on his family computer. Got it? Let's say he buys a book on Amazon after his kid finishes playing. Problem? The game his kid played installed a undetectable keylogger, and now somebody on the other side has his login details to Amazon - and as a byproduct, his CC information. Now remember, this is even before he ran a virus scan. Who do you think he would blame when he found out what happened? The kid, no doubt - who probably has no idea what happened, but most importantly - ROBLOX. There would be blogs out there saying ROBLOX is a scam, that their program destroyed their computers, that they shouldn't be trusted.
Not only that, but remember Lua is a functional language. If you have a while loop and an ability to access the Internet, you instantly have an ability to DoS servers. What If you make a really popular place with some malicious code embedded inside? That becomes a DDoS. And whose IP shows up in the logs? Not yours. ROBLOX's. And you can only imagine what hell can come from that. |
|
|
| Report Abuse |
|
|
|
| 12 Jul 2012 10:52 PM |
| ... You could always just get Lua to load a string like machine code (calling it like a pointer) and force a user to save your place to their machine... |
|
|
| Report Abuse |
|
|
|
| 12 Jul 2012 10:53 PM |
| HttpGet and HttpPost can only access *.roblox.com sites. |
|
|
| Report Abuse |
|
|
|
| 12 Jul 2012 11:04 PM |
Even worse - you can still DDoS/DoS the site. Which I guess is the only reason standing now, since nothing said before matters now because only ROBLOX links are allowed.
Correct me if I'm wrong, but would modifying the hosts file to point roblox.com to a personal server therefore allowing you to use HttpGet with your own files?
HttpGet is unlocked with higher level scripts, right? |
|
|
| Report Abuse |
|
|
|
| 12 Jul 2012 11:07 PM |
| Y u wuld sabotage ur own seestem? |
|
|
| Report Abuse |
|
|
|
| 12 Jul 2012 11:14 PM |
I'm not saying that, but, wait...
If you do have an external server with a custom protocol and using my idea, you could theoretically use ROBLOX as an adminstrative tool to control running processes, reboot/shutdown the system, even run console commands..
Oh, the joy of using things for what they weren't intended for. |
|
|
| Report Abuse |
|
|
|
| 12 Jul 2012 11:16 PM |
> Oh, the joy of using things for what they weren't intended for.
Haha, yeah. x3 |
|
|
| Report Abuse |
|
|
|
| 12 Jul 2012 11:21 PM |
"Hey, what program do you recommend for administrating Linux systems remotely?"
"Ummm, well, it's this game called ROBLOX..."
"A game? WTF? Why did we hire you? GET OUT!"
Hehe. |
|
|
| Report Abuse |
|
|
|
| 12 Jul 2012 11:23 PM |
With Post/Get unlocked we should make an ROBLOX SSH client :3
http://yourIP/exec?code=sudo rm -rf / |
|
|
| Report Abuse |
|
|
belial52
|
  |
| Joined: 10 Oct 2009 |
| Total Posts: 8074 |
|
|
| 12 Jul 2012 11:24 PM |
HttpGet and HttpPost locked.
All you have to do is get a client with command bar with elevated permissions. |
|
|
| Report Abuse |
|
|
|
| 12 Jul 2012 11:27 PM |
@Necro
Uh-uh-uh!
http://yourIP/exec?code=sudo+rm+-rf+%2F
Much more feasible :3
Also, y u no use format |
|
|
| Report Abuse |
|
|
|
| 12 Jul 2012 11:47 PM |
The player is technically logged on ROBLOX, right?
So all requests sent with HttpPost are sent as if the user was logged on, right?
And you can send requests with HttpPost to the ROBLOX website, right?
So you could make actions be performed on behalf of any logged on user (non-guest) who visits your place, right? |
|
|
| Report Abuse |
|
|
lmb32
|
  |
| Joined: 27 Nov 2008 |
| Total Posts: 63 |
|
|
| 12 Jul 2012 11:50 PM |
| That "right?" is more like an affirmation |
|
|
| Report Abuse |
|
|
|
| 12 Jul 2012 11:51 PM |
@Julien
ROBLOX isn't a browser. It doesn't implement cookies. That being said, the headers would have to be modified so you can put in a cookie with a valid session ID, otherwise all POST requests involving player actions would simply cause a redirect to the login page.
So, no. |
|
|
| Report Abuse |
|
|
belial52
|
  |
| Joined: 10 Oct 2009 |
| Total Posts: 8074 |
|
|
| 13 Jul 2012 12:00 AM |
@Techboy,
game:GetService("CookieService")
Ok? |
|
|
| Report Abuse |
|
|
|
| 13 Jul 2012 12:09 AM |
@bel
I feel like an idiot for actually trying this. Lol. |
|
|
| Report Abuse |
|
|
belial52
|
  |
| Joined: 10 Oct 2009 |
| Total Posts: 8074 |
|
|
| 13 Jul 2012 12:38 AM |
| @Tech, Too bad it actually is a service for setting a cookie. I believe that it is used mostly for tracking the games you've been to. |
|
|
| Report Abuse |
|
|
|
| 13 Jul 2012 12:50 AM |
| Okay, on a serious note, are you just trolling or is this real? |
|
|
| Report Abuse |
|
|