Cookie Logging Explained - Community Resources - DevForum

Cookie logging

I’m sure you’ve heard of it. But how are the most common cases done? how would you prevent getting cookie logged? Well to get knowledge on that you’re in the right place!

Backstory

I’ve noticed a rather increase in traders and developers getting cookie logged within a finger snap. I’m here to make people aware on what to do in possible logging cases, how to notice if someone is attempting to log you, how to handle the situation as safely as possible and above all, prevent yourself from getting logged in the first place.

Do’s & Don’t s

I’ll be starting off with the most important things of all, some things you do not want to try and just avoid so you won’t get logged. This also isn’t meant as a scare to any files but it occasionally happens.

So first off, beware of who you commission/commissions you. You DO NOT want to end up sending them a file that states copy as HAR when you right click it. These files contains a bunch of info regarding your activity of your web browser. Yes this does include cookies.

Do not touch it, copy anything in the network section, or to make it clear; If you got no clue what the console does (F12) don’t even enter the console or any of the related sections to adjust or take stuff from it.

Secondly, Don’t download sketchy stuff from the internet(this includes from social platforms such as Discord, Facebook, etc). The risk of having a cookie logger in a file you download is always there, there’s no escaping that. Just be safe and only download from sources you find trustful.

and finally, Don’t ever touch your ROBLOXSECURITY or RBXID code without proper knowledge on them. Yes these codes are included in the HAR file, no it’s again not something to just give to people. simply Don’t EVER share it.

Summary

If you got no clue what any of the things in the screenshot below are used for or how it works, close it immediately. The web console/inspector or any of the tabs included in the screenshot (or alike) are not something to mess with without proper knowledge on them.

chrome inspector topbar1202×31 9.79 KB

So we’ve discussed what you should avoid doing when we’re talking about possible cases of getting logged, but what should you do even in cases to prevent being logged/were logged? there are a couple possible options for this, eventually most of them lead back to one single outcome.

Simple, firstly, whenever someone even mentions or asks you to copy files as a HAR and send it them, report them to the appropriate platform the user sent the message from and action should be taken. People asking you for these files are 10/10 trying to scam or even take over your account.

If the user contacts you on a different platform there isn’t much roblox can do as there’s no proper way on knowing if the user sending you the request on e.g. twitter or discord is the same user as they claim to be on Roblox. Of course you could always try and report it to Roblox, It wouldn’t do any harm to do so and it’s even recommended if you ask me.

secondly, If you’ve recently been logged but haven’t sent anyone a file from the console menu or even downloaded anything from anyone you might want to check your add-ons of your browser. There are a lot of fake Roblox+ plugins, these should be avoided from installing. Beware with what you plug into your browser, as neat as the add-on might look.

I’ll be linking the real Roblox+ and BTRoblox links for both Chrome and Firefox below for the ones that want to be safe and sure about downloading anything.

to top it all off, Clear your cookies once in a while, I know it might seem like a hassle to have to log back into your account again when you do so but it’ll be worth it in the end. alongside of it being safer to do at least once every month or 2, it’ll also help with keeping your browser clean from unwanted cookies.

Summary

clear your cookies once in a while, It’s really worth it in the end to keep your browser clean, check plugins on authentication and just watch out with who you have contact with and what you download. In the end report someone that you suspect to be a logger to the proper platform’s support.

Browser recommendations

Personally I’m not a fan of Chrome due to it’s high CPU usage and the amount of memory it eats and certainly not of Opera due to it’s past activity. Firefox is more of my favorite for various of reasons. I’m currently using Firefox Developers Edition as I’m engaged a lot in web/app development. On top of that has Firefox itself a rather handy tool for tracking activity and making sure you’re browsing the internet safely (read more about it here)

image697×979 37 KB Privacy is of importance for me, and Firefox really helps me with that. As shown in the picture two of my accounts have been breached in total, on top of that does Firefox instantly send me an automatic generated email whenever any account associated with the email i linked it with has been publicly breached. image657×897 50 KB As you can see, these 2 breaches were fairly old (and of really unimportant accounts for me, long live spam email accounts). But in the end the choice is yours and you should use whatever browser you’re comfortable with. Useful Community Tips/Additions What is a "HAR" file? m0mmapoIar:

HAR is short for HTTP Archive file. When you send any request to any endpoint (assuming you’re logged in) on any platform, there’s normally some kind of authorization token in the header that lets you perform actions. For Roblox, it’s the .ROBLOSECURITY cookie. For each request you send, you can get an HAR file that shows what happened during the request and which headers were sent. If your HAR file ends in the wrong hands they see that .ROBLOSECURITY token. With that, they can swap out cookies on their browser or they can use an API wrapper to automate actions like buying a shirt and taking all your Robux. Keep in mind, this applies anywhere . Discord in particular has tokens, equivalent of the .ROBLOSECURITY , and you can wreak havoc the same way. It should be a rule of thumb to just not send anyone any files that you don’t understand (even if you change the ending of the file name).

How to reset your RBXID, ROBLOXSECURITY and RBXSESSION ConnectedGamer5:

LOG OUT AND LOG BACK IN, THIS WILL RESET YOUR ROBLOSECURITY, RBXID, and RBXSESSION.

It also helps to sign out of all sessions too. Once the ROBLOSECURITY and RBXID is bad, they can’t get back into their account, unless they can reset your password with email verification or phone verification.

What to do when your valuable items/robux have been stolen ConnectedGamer5:

0. Save 1 or 2 purchase receipts, or emails confirming that you made a purchase on Roblox. (right now while you can)
1. Sign out of all sessions if you believe someone has your cookies.
2. If you lost limiteds or Robux worth 15,000 robux or more, email roblox and request a rollback. Include your username, and one or two purchase receipts to verify that its you. (If they don’t work, there are other options like:

• First or the creation email address associated with the account.
• Original billing email address associated with the account.
• Earliest/oldest purchase receipt of items purchased from the account.
• Game card 10 digit PIN purchased from the account.

3. Notify your friends on Roblox that your account has been compromised and disregard any actions that took place in ~24 hours.

Don't run anything you're not familiar with awesomeotheraccount:

If someone tells you to put a suspicious link on a specific ROBLOX page, for example Javascript:URL Don’t do it, as it literally pastes code into your console for cookie loggers to obtain your ROBLOXSECURITY cookies and cookie log you.

Hexcede:

Pasting anything with javascript: at the beginning will run javascript code just like if you put it into the console.

Check the link before opening it in your browser VoidedBlades:

Read what links get sent in your dms (it be twitter, discord, whatever) before opening them, It’s apparently really easy to overlook the url’s off appearance due to the embed and the url containing roblox.com in it.

Trusted Roblox Extensions

Add-on	link	Creator	Browser	Latest source code check date
BTRoblox	FireFox / Chrome	@AntiBoomz0r	Firefox/Chrome	July 9th 2020 / July 9th 2020
Roblox+	Chrome	@WebGL3D	Chrome	N/A
RoGold	Chrome	@alexop1000	Chrome	August 28th 2021

Updates

November 27th 2022, extensions breaches

As some of you might know, there are people going around and attempting to bribe extension owners into adding code that would hijack account(@alexop1000 on twitter about being approached and declining). Oftentimes the amount that they’d bribe someone with would go up to tens of thousands of dollars.

Q: can you still stay safe despite potential bribery on extensions? A: My honest and sincere answer? No. Not with extensions installed as it all might pose a risk. However you can ensure that if you have an extension installed that it won’t update if you really, really do wish to have said extension present (and are certain it doesn’t contain malicious code). You simply go to your extension settings and select the specific extension to disable automatic updates. This is what I’ve done for BTRoblox at least It’s current version is stable so unless something breaks severely I won’t be updating the extension anymore.

Q: Where did roblox statistics go? A: The extension has been removed from the list. This has to do with the extension not functioning as intended anymore due to Roblox removing the API it made use of a good while ago. There are a number of other reasons that are in relation to the trust of the extension creator which i will not go into detail about as they’re just rumors I’ve heard over the past couple years but am not willing to take a risk and mark the extension as trusted.

Q: what about the remainder of extensions you’ve marked as trusted? A: While it is very much possible that any of these creators could get either compromised or bribed (so stay wary about that), I’m confident that most of them will take proper precaution and work in their best interest of the users to keep their account safe and not engage into illegal activity as mentioned earlier.

Closer

I hope this brought you some knowledge around keeping your accounts safe and what you should and shouldn’t do. By all means do leave recommendations/tips in the comments and I’ll be updating the FAQ/Useful info section when questions/tips have enough support and need for answers or gives additional information that I haven’t clarified in the topic. Stay safe!