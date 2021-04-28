Share



Researchers at CyberNews have discovered that Roblox is leaving 100 million users’ sensitive data open to critical security breaches.

Valued at $38 billion and boasting over 199 million monthly users, Roblox is the world’s most popular online gaming platform, with a core demographic of children aged between 9 to 15.

Despite its commercial success and 17-year history of development, analysis of the Android mobile app revealed that poor data security practices leave users’ personal information potentially vulnerable to damaging attacks from cybercriminals.

Roblox player profiles include names, email addresses and other identifiable records. The vast quantity of in-game microtransactions, coupled with massive numbers of very young players, make Roblox a key target for cybercriminals. The security issues identified mean it’s possible that any user of the Android app could become a victim of data theft and scams.

CyberNews researchers conducted analysis on the Android version of the Roblox app – the most popular amongst users, with over 100 million installs to date. They found four key areas where data was open to hackers: misconfigurations in the Roblox Android manifest file, inadequate hashing algorithms, susceptibility to the Janus vulnerability and hardcoded API keys. These resulted in an alarmingly low 10/100 Mobile Security Framework Security Score, which indicates many potential security problems present within the app.

Roblox has grown rapidly in popularity since the start of the pandemic, gaining 50 million new monthly users, with children spending more time online than ever. In January, the U.S. Securities and Exchange Commission (SEC) declared reservations over the way in which Roblox recognises revenue from the sale of its in-game currency, Robux, resulting in delays to the company’s stock market listing, previously scheduled for February. The company made its debut on the New York Stock Exchange via direct listing on 10th March.

Says Mantas Sasnauskas, Senior Researcher at CyberNews:

“We’re calling on Roblox to address the platform’s security risks as a top priority – these security and privacy practices should be much more rigorous and looked at more thoroughly, especially for a game that has hundreds of millions of users.

“For any customer who’s worried by the security lapses, we advise thinking twice about the personal information you choose to share online, and checking your payment provider’s fraud prevention policies.”

