Valued at $38 billion and boasting over 199 million monthly users, Roblox is the world’s most popular online gaming platform, with a core demographic of children aged between 9 to 15.
Despite its commercial success and 17-year history of development, analysis of the Android mobile app revealed that poor data security practices leave users’ personal information potentially vulnerable to damaging attacks from cybercriminals.
Roblox player profiles include names, email addresses and other identifiable records. The vast quantity of in-game microtransactions, coupled with massive numbers of very young players, make Roblox a key target for cybercriminals. The security issues identified mean it’s possible that any user of the Android app could become a victim of data theft and scams.
CyberNews researchers conducted analysis on the Android version of the Roblox app – the most popular amongst users, with over 100 million installs to date. They found four key areas where data was open to hackers: misconfigurations in the Roblox Android manifest file, inadequate hashing algorithms, susceptibility to the Janus vulnerability and hardcoded API keys. These resulted in an alarmingly low 10/100 Mobile Security Framework Security Score, which indicates many potential security problems present within the app.
Roblox has grown rapidly in popularity since the start of the pandemic, gaining 50 million new monthly users, with children spending more time online than ever. In January, the U.S. Securities and Exchange Commission (SEC) declared reservations over the way in which Roblox recognises revenue from the sale of its in-game currency, Robux, resulting in delays to the company’s stock market listing, previously scheduled for February. The company made its debut on the New York Stock Exchange via direct listing on 10th March.
Says Mantas Sasnauskas, Senior Researcher at CyberNews:
“We’re calling on Roblox to address the platform’s security risks as a top priority – these security and privacy practices should be much more rigorous and looked at more thoroughly, especially for a game that has hundreds of millions of users.
“For any customer who’s worried by the security lapses, we advise thinking twice about the personal information you choose to share online, and checking your payment provider’s fraud prevention policies.”
However, a Roblox spokesperson denied there was a risk to users’ data privacy:
“We take all reports seriously, and immediately investigated when first approached by the researcher in March. Our investigation determined there is no correlation between these claims and real risk to users’ data privacy.
“One claim was inaccurate and the other three pertained to inactive code not used on the Roblox platform. Regardless, we deleted the inactive code as part of our commitment to the security and the safety of our users.”
It also said that the research has been disputed by an information security researcher on Twitter: https://twitter.com/Paul_