Starting off

This post will be fully going over the IP address dump incident that happened on September 19 2021. I know this was months ago, but I'm making this because it's good to fully examine an incident like this, and also because the only announcement I made about this was not very clear and quite rushed. Besides, there's a lesson everyone can learn from this.

For those who aren't following along, hundreds of IP Addresses belonging to Project Polygon users were dumped onto paste sites on September 19 2021, just two weeks after its initial public opening.

I guess I should start off by saying that this was not the result of a database leak or anything. This has to do with the way the ROBLOX Game Client works, and admittedly some poor decisions on my part.

How were the IP addresses obtained?

A fraction of the IP addresses in the dump came from server IPs. As you know, Project Polygon relies on the users to self-host game servers, and that requires the server hoster specifying their IP address in order for people to connect to it. At the time, it was possible for people to fetch the server IP even if the server was offline, and there was no rate limit.

Those server IPs were just a very minor part of the whole IP dump. Where did the rest come from? There's a bigger issue at play here -- actually, there's two -- that makes it possible to fetch IP addresses from players connected to a game. I'm covering both as this doesn't just pertain to Project Polygon, this is also an advisory to everyone, whether you own a revival or you play them.

Method 1 - ServerReplicators

When it comes to handling network stuff, the ROBLOX Game Client does it in a unique way. Some network properties are accessible via scripting with Lua. Starting a server, connecting to a server - those are all done through Lua. There's actually quite a few accessible classes that interface with networking. The main three are NetworkClient, NetworkServer and NetworkReplicators.

NetworkReplicators are used to handle connections between the client and the server. They expose several Lua functions for interacting with the network layer that are used for connecting to a server. For some unknown reason, they also expose to Lua the IP address of the peer you're connected with.

Now, there's two types of NetworkReplicators: ClientReplicators and ServerReplicators. As their names suggest, ClientReplicators are used on the Client and ServerReplicators are used on the Server.

When a server is hosted, each incoming connection is listed as a ServerReplicator, and as mentioned before, the IP address of a ServerReplicator is accessible by Lua.

I should clarify that only the server can see the connected ServerReplicators, not the client. Though, this wouldn't matter much if you're able to run a server-side script.

So with that, if you're able to run a server-side script, then you can easily get the IP addresses of everyone connected to a server. In case you didn't know, this was exactly how GoodBlox's IP dump happened.

Project Polygon had this patched for a very long time, with the IP address just returning as RakPeer. You may have even seen it if you've started a server and looked at the output. So, there's more to this than just unsecured NetworkReplicators, which brings me to the second possible method.

Method 2 - Bypassing trust check

The ROBLOX Game Client has a security feature called 'trust check', which in essence is just a whitelist of websites the client can access. This is a thing to help ROBLOX enforce only people using pre-approved assets from www.roblox.com. For example, you won't be able to add images from an NSFW website thanks to trust check. However, trust check also helps with security, which I'll get into now.

Assets like images and meshes are fetched by the client, while other assets like models are fetched by the server. That first part is especially important. If there was a way to bypass trust check and fetch any web link, it would be possible to add a decal or something that links to a bad site which logs connected IP addresses. Because the client is the one making the request, the IP address of the client would be logged.

This method is critical because many revivals completely patch out trust check, allowing any web link to be fetched in-game. Fun fact! Finobe's 2012 client had no trust check for three whole years. That's how common it is.

Again, Project Polygon had this patched for a very long time. Or... did it?
This one is where I'll take the blame. Yes, Project Polygon did have it patched, but at the time there was a vulnerability that allowed trust check to be bypassed through the use of the URI username identifier. You can see more details about that here. It has been fixed since September 21, however it's possible this was the method used to obtain the IP addresses of people connected in-game. We don't know for certain if this was the actual method used, but I'm disclosing this here for the sake of transparency, and it proves that it would have been possible to pull off an IP dump.

So, what now?

If you remember from the original announcement, I made the conclusion that a popular server hoster modified their server program to not redact the ServerReplicator IP addresses in collaboration with a group of people. I'll redact that conclusion, because I'll be honest - I've never actually confirmed that, and I don't know if it's true. The more reasonable conclusion could be made that his servers were targeted only because they were immensely popular. I didn't want to do a GoodBlox and leave the entire community on read, so I tried to get a statement out as soon as I could. JimmyTheMango, you have my apologies.

I think it's reasonable to say the main factor for this happening to Project Polygon was the use of self-hosted games. With self-hosted games, we don't have control over each server that's hosted. We can't monitor any suspicious requests. We can't ensure that people haven't modified their server program for malicious purposes. The list goes on. There's a very big element of trust in there, something I largely overlooked when deciding to take this public.

Places are on the verge of release, and with that, I can promise you it would be impossible for something like this to ever happen again.

If I've amplified your paranoia on the security of revivals, then that's a good thing. It's a hard thing to get 100% right. Especially for the smaller ones made by people just learning how to patch a client and make a website, which are growing ever more common with the privatization and closures of all the major revivals. Everyone can learn a lesson from this.

Have a nice day.