Skip to content
Roblox
Naked Security Naked Security

Roblox says hacker injected code that led to avatar’s gang rape

Roblox was moving some older, user-generated games to a newer, more secure system when the attack took place, it says.

“Roblox has made it almost impossible to rape people anymore,” a gamer complained in a YouTube video posted in September. He apologized for not posting a rape script video in over a year, all due to the company adding more security into their games.

If any of you guys know how to make the rape script work on filtered enabled games, make sure to let me know.

Well, somebody clearly did figure it out, as a whole lot of people unfamiliar with gaming rape culture found out earlier this month, when a 7-year-old girl’s avatar was gang-raped on a playground by two male avatars in the hugely popular, typically family-friendly game.
Roblox is a multiplayer online gaming platform in which users can create their own personal avatar, embark on their own adventures and interact with each other in virtual reality.
The girl’s mother, Amber Petersen, described in a 28 June Facebook post how she had seen her daughter’s character get attacked while she was playing Roblox on an iPad. Petersen shielded her daughter from seeing most of the attack, and she captured screenshots that she also posted.
At the time, Roblox traced the virtual violence to one “bad actor” and permanently banned them from the platform. As it was, at the time of the assault, Roblox already employed moderators who review images, video and audio before they’re uploaded to Roblox’s site, as well as automatic filters. After Petersen reported her daughter’s experience, the company put in yet more safeguards to keep it from happening again. It issued this statement:

Roblox’s mission is to inspire imagination and it is our responsibility to provide a safe and civil platform for play. As safety is our top priority – we have robust systems in place to protect our platform and users. This includes automated technology to track and monitor all communication between our players as well as a large team of moderators who work around the clock to review all the content uploaded into a game and investigate any inappropriate activity. We provide parental controls to empower parents to create the most appropriate experience for their child, and we provide individual users with protective tools, such as the ability to block another player.
The incident involved one bad actor that was able to subvert our protective systems and exploit one instance of a game running on a single server. We have zero tolerance for this behavior and we took immediate action to identify how this individual created the offending action and put safeguards in place to prevent it from happening again. In addition, the offender was identified and permanently banned from the platform. Our work on safety is never-ending and we are committed to ensuring that one individual does not get in the way of the millions of children who come to Roblox to play, create, and imagine.

Now, the company is blaming a hacker/hackers who attacked one of its servers and thereby managed to inject code that enabled the assault.
Tech Crunch reports that Roblox, which is experiencing vigorous growth (it recently said it expects to pay out double the sum it paid to content creators a year ago), was in the process of moving some older, user-generated games to a newer, more secure system when the attack took place. There were multiple games that could have been exploited in a similar way.
Following the incident, Roblox’s developers have removed the other vulnerable games and asked their creators to move them to a newer, safer system. Tech Crunch reports that most have done so, and those who haven’t won’t see their games back online until they do. None of the games now online are vulnerable to the exploit used by whatever hacker crawled out of Dante’s Seventh Circle of Hell to attack a 7-year-old’s avatar.
Petersen has lauded the company’s fast and thorough action. In her initial Facebook post, reeling with shock, disgust and guilt, Petersen had urged other parents to delete the app. But two weeks later, in a follow-up post on 11 July, Petersen said she’d edited that initial post: she now emphatically believes that the incident was not Roblox’s fault:

This was the fault of a HACKER, not the company. Shortly after I reported the abuse and wrote my Facebook post, Roblox quickly responded and determined that the offending avatars were hacked by an outside user. Immediately, the offender was permanently banned from the platform, the game was suspended, and Roblox engineers worked overtime through the weekend to tighten their platform to ensure this event would not happen again. Afterward, I revised my original post. Rather than calling for people to delete the app, I encouraged parents to double-check security settings on all their devices and make sure they are aware of what their children are playing.

Petersen is now urging parents to visit Roblox’s parent’s guide at https://corp.roblox.com/parents/.
Although she no longer thinks parents should delete Roblox, she still thinks that it’s vital for parents to closely supervise children’s activity, on any device, as “no form of technology is entirely safe from hackers,” she says.
And, these such hackers don’t restrain themselves to sexual violence or aggressiveness. On the Go Ask Mom Facebook page, one mother wrote, in response to the Roblox rape story, that she’s keeping her son off Roblox after learning about a game he was playing:

My son has not been allowed to play this since I walked into him playing and the mission was to kill yourself. Like he had to go around his character’s house and drink bleach or find a knife.

There’s just no way to protect kids from every single type of troubling content on games and social media. Rather than freak out and stuff them away in a Faraday cage, experts recommend that parents can take certain precautions, foremost of which is to keep an eye on what their children are encountering online.
Larry Magid, CEO of Connect Safely, a nonprofit dedicated to educating technology users about safety, privacy and security, told WRAL that Petersen was doing pretty much everything right.
Namely, she …

  • …was sitting right next to her daughter, ready to step in to interrupt when things took a turn for the objectionable.
  • …had the privacy settings set so her daughter would only experience age-appropriate play. It’s not clear how those settings were reset: it might have happened when the app was deleted to save space and then reinstalled, for example. Regardless, it points to the importance of regularly rechecking privacy settings.

Magid and other experts offered additional steps that can help:

  • Select “curated content” only in the security settings: that will restrict the content to age-appropriate games. Check out Roblox’s site for more information on its curated content.
  • Let Roblox – or any game maker, for that matter – know immediately when unacceptable content appears.

Those are helpful tips. But for better or worse, gamers, and game hackers, are a creative bunch. That means that the list of threats keeps morphing, and the hackers are ever ready to pounce on any means possible to insert their idea of “fun” into a game. Just run a search on “Roblox rape” on YouTube to see what I mean.
Maybe it was just one bad actor responsible in this case. But even if it was, there are clearly plenty of people who think of that act as a win and who would happily do the same.
That rape script video upload I mentioned? It was a six-part series.
Keep an eye on the kids – it’s a world of nasty out there.


16 Comments

“gaming rape culture” i think i’m going to be sick. we have come a long way since our favorite Italian plumber was jumping on turtle shells haven’t we?

Until hackers can be held accountable for their actions, they will continue on their destructive path. Humanity is becoming less civil daily it seems.

News flash: It’s the internet. It will never be a happy safe space for kids. People do it for fun. It’s a laugh. People do not care about those on the other side of the keyboard, accept it & move on. Also it was a script kiddie not a ‘hacker’. Also, rape? No. It’s role-play & trolling. Hell it’s funny. Because it’s virtual. Just because it happened to a young kid on a game, the trolls do not care, if anything it makes it funnier it got news attention. They got banned. Big whoop, new account, maybe a VPN at worst. Job done. Back to trolling.

Its quite upsetting to me that this comment is +12, 1.
Regardless of the validity of your points, and in fairness trying to whackamole people who move to new network connections nd accounts when banned is hard, although doable to at least a level to require high technical skill or very deep pockets, the attitude you show to this having happened to a 7 year old is frankly awful.
You can argue the same things you did neutrally, or from the point of view that its awful but can’t be stopped, but you chose not to do either of those.

I’m more of the opinion you shouldn’t ever let a kid that young play a game that interacts with other people in this day and age imo. Stick to those single player games until at least middle to high school.

Like BT said you shouldn’t let young kids play a game that is multiplayer, this is caused by the negligence of the parent. But to add more insult to injury the ESRB, which is the main organization for rating and assigning age restriction, specified in the U.S. Roblox is a game rated for 10+ years old. So in the end, the parent is the one to blame for not knowing enough about parenting and in the end just ignoring warning and policies set out by the company and when something went wrong just blaming it all on the company.

i want the revenge on the hackers we need to make a safe app to keep the roblox game safe and secure please I req that please remove the hackers from game

The two rapists are EXPLOITERS and NOT HACKERS. Hackers dont care about a childs game.

While you’re correct… like it or not, the majority of the world thinks that breaches happen because of “hackers.” Just like “virus” (a general word describing all flavors of malware), hacker is a blanket term to encompass all nefarious netizens. Genpop doesn’t know the term’s inaccuracy; it simply means one who modifies an object or system–poking holes in a garden hose is hacking a better method of watering flower bed.
The true term for one breaking into systems is cracker. But (mostly) thanks to a wildly-inaccurate film featuring Angelina Jolie, “hacker” is the term everyone knows.

I’d say that the word “cracker” is most commonly associated with software cracks, where piracy-protected or pay-to-play software such as a game is “cracked” so it can be played for free.

Ah, software cracking–I recall ages ago looking for the cracked release of this or that.
I can’t recall where I first read it, but it was also ages ago. A lament I’m at times tempted to emulate, it’s by now entirely futile. Yet another common-wrong-usage-becomes-correct situation like someone saying “bimonthly” when they mean every other week.
As long as there are still holdouts–even as general as the existence of a site named “lifehack” which doesn’t primarily exist to teach budding digital criminals–I’ll try to stick with more accurate vernacular. But even at that I fail, seldom saying “GNU/Linux” and simply lazily saying the latter.
I admit language constantly evolves, and we who resist change are not as traditionalist as we try to believe. I’ve certainly never advocated for the return of words like Claudivs and ye olde shoppe. (and I’m glad on that last point after learning the true origin of the “y” as thorn).
:,)

I’ve heard a different use for the word cracker myself but I guess it has at least three meanings

So just to clarify, are you saying that “Curated content only” isn’t the default setting in a game targetted at children?

Note it was an Exploiter or as we call them “script kiddies” who use cheat engines usually created by others, not a hacker that can get your IP address, accounts, etc. And to say the least this article is being too dramatic using terms like “hacker” and phrases like “Dante’s circle of hell” I mean it’s just a guy messing around, this person didn’t know who was behind screen, that a seven year old kid was behind there, nor did he care. I mean would the child perceive it as rape? Would a child know what it is? I mean parents can just say some BS and end of story.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?