Is Roblox sporting large holes in its security? It would appear that way. CyberNews says it's not a total disaster security-wise, but its risks could turn into vulnerabilities if not soon taken care of.
CyberNews Says Roblox Should "Up Its Security Game"
CyberNews has reported the findings of its investigation into the security of the Roblox app for Android.
The research publication says that it has found a number of potential security issues under the hood, which may leave Roblox' 199 million players (many of which, are children) at risk for data theft.
To analyze the code of the Roblox app, CyberNews used the Mobile Security Framework (MobSF) and here are some of the "biggest takeaways" from its report.
Below Average Security Scores
After MobSF performs static analysis of an app, it gives two scores representing its assessment of app security: the Average CVSS (Common Vulnerability Scoring System) score, and the MobSF Security Score.
CyberNews explains them as follows:
The Average CVSS score is the average score of all vulnerabilities found within the app, with each vulnerability having its own CVSS score depending on how severe it is. The lower the Average CVSS score, the better. The MobSF Security Score is the framework’s own scoring system that determines which of the scanned elements of the app were deemed vulnerable by the MobSF scanner.
Roblox received an Average CVSS score of 6.4 and a MobSF Security Score of 10/100.
Insecure Data Storage
It isn't smart to store sensitive user info like emails and passwords in plain text, which is why developers should use a secure hashing algorithm to protect them. Unfortunately, it looks like Roblox is using "weak algorithms" MD5 and SHA1 to hash some of its data.
What's more, that weakly hashed data is stored locally in a SQLite database that executes raw SQL queries—leaving it vulnerable to SQL Injection (SQLi) attacks.
A Hard-Coded API Key
The Roblox app uses an API key to access parts of the Roblox network. That API key should only be accessible to the developers, but it was found in plain text in the app's code.
With that API key, a bad actor could steal player data (e.g. app credentials, personal info, etc.), tamper with how the Roblox app deals with its data, or alter API requests made by the app.
"Even though this is not difficult to fix, the raw potential of being susceptible to such an ancient vulnerability is rather alarming from a security perspective," writes CyberNews.
Roblox's Response to the Report
Upon learning about all the potential security issues it found within the Android app, CyberNews says that it reached out to the Roblox team, but they apparently did not respond to calls or emails "for months."
TechRadar, however, got a response from a Roblox spokesperson after CyberNews published its report:
We take all reports seriously, and immediately investigated when first approached by the researcher in March. Our investigation determined there is no correlation between these claims and real risk to users’ data privacy. One claim was inaccurate and the other three pertained to inactive code not used on the Roblox platform. Regardless, we deleted the inactive code as part of our commitment to the security and the safety of our users.
CyberNews has admitted that some of the issues mentioned have been patched in latest versions of Roblox, but its researchers still believe that “the threat to player security is very real."
You can read the full report for yourself on the CyberNews website.