Roblox PromptPurchase Vulnerabilities
This is the tale of how scammers managed to mess with Roblox CoreGUI and disable scam detection (all explained here).
Let’s get to it. Scam games that charge insane amounts of robux have sprung up. Some games change the transparency of the CoreGUI, others could mess with another vulnerability, that I warned roblox staff about.
These roblox scam games modify the PromptPurchase modules inside of the CoreGUI Folder, there is nothing stopping them as CoreGUI is accesible on studio, CoreScripts aren’t. The problem is, the scripts managing the PurchasePrompt are on CoreGUI, so, even if purchases can’t be manipulated, the function starting one on the confirm button can be.
The games usually modify the transparency of the different modules that generate the different classes, or mess with the confirm button’s code.
The problem with this is that the scammers can easily call the onClick() function elsewhere to simulate a click, and even destroy the clickScamDetector class.
Let’s talk about how the clickScamDetector works.
The clickScamDetector has a few variables, and essentially limits the tot. clicks in tot. seconds and returns true or false determining if the purchase should continue or not.
This can be easily avoided by calling onClick() before and unmounting the scamdetector at the start. This is a big vulnerability in roblox’s framework, it can’t mess with your game as scripts cannot modify coregui by themselves (as of now) it is theorized that plugins could, but most of these scams are located in apposite scam games intentionally.
The problem
The bigger problem is that new ways to exploit continue to arise. Do not join supicious games and if you lose an hefty amount of robux, contact Roblox instantly.
Other types of Scams
Similiar types of scams exist. Some, purchase automatically, while others, like these examples, rely on the player’s clicking on a specific spot and just hide the PurchasePrompt using ZIndex and/or mess with the render engine.
They are easily detectable, always make sure one of the games you are in is credible, his creator has a reputation, and is not botted. If you got in, leave immediately if you feel something’s wrong.
Moderation
Unfortunately, as usual, roblox won’t take action if you aren’t an important member of the community. These scammers, who scammed hefty amounts, got what they deserved.
The scammers have a whole community and investors! Luckily their teasing paid off. They “trolled” members of the community and even teased them for falling for it.
Luckily, this problem is known, and is getting researched and patched.