vinegarhq co-founder and pro time-waster

Who's watching me play? A rudimentary look into Roblox Player's data collection

Roblox is a fascinating software ecosystem with occasionally questionable security and privacy practices. The company has gone to great lengths to prevent reverse-engineering and exploitation through the inclusion of VMProtect obfuscation, as well as in-house and third-party anticheat systems (which lead to great pains for Linux gamers for several years). Additionally, much of its networking protocol, though based on the publicly available RakNet, is undocumented. However, I have managed to devise a method to decrypt the HTTPS traffic produced by the executable itself giving an initial look into the user data collected. Do note, however, that this article is not at all-encompassing. During the development of the Grapejuice Flatpak, I discovered the usage of ptrace() by Roblox Player, potentially indicating other nasty forms of data collection. But I digress...

Breaking it down: Decrypting the HTTPS data

My current method has only been tested on a Linux system with WINE, though it is theoretically possible to replicate on Windows. The only required software are Wireshark and WINE. The technique is as follows:

  1. Begin a Wireshark capture session and filter by HTTP (use filter "http || http2 || http3")
  2. Pass SSLKEYLOGFILE="/path/to/file" environment variable in WINE
    • This can be done through the [env] field in Vinegar!
  3. Load the keyfile into Wireshark
    • See this source for more information
    • You will want to use "(Pre)-Master-Secret" field
  4. Observe the decrypted payload
    • Of particular interest are the HTTP/JSON messages...

Under the Microscope: Reading the decrypted telemetry

Roblox's network traffic is rife with telemetry. In roughly 5 minutes of gameplay, I recorded just over 450 HTTP messages. Let's have a look at some particularly notable packets. CAUTION: Before sharing your own session data, make sure you did not include your ROBLOSECURITY cookie! This cookie can be used by others to log into your account, if shared!

Sum up

Again, this report is not entirely comprehensive. Countless packets were omitted for the sake of brevity. However, the constant monitoring of the user's system's timing and performance is excessive and may lead to performance degradations or network charges. I will definitely point out that one should definitely employ the RCO patchset (included with Vinegar) if there is a desire to reduce telemetry. In my own tests, it lead to hundreds less telemetry packets being sent. Of greatest importance, at least in my opinion, is the unobscured transfer of game data through HTTP instead of RakNet, which could be used to acquire assets for nefarious purposes.

First published Apr 3

Valid CSS!