A newly-discovered exploit in the online game creation system Roblox is being used to scam players out of their precious Robux. Players using an Xbox controller are vulnerable to accidental purchases, and unethical creators trying to take advantage of this to squeeze money out of players.
How are Roblox users being scammed?
The issue came to light on January 11th in a series of Twitter posts by @wideawakewesley. In his posts, he points out how players using an Xbox controller can accidentally purchase items with Robux, a premium currency that can be bought with real money, because the A button is used for both jumping and confirming purchases. He first discovered this worrying exploit when his daughter accidentally spent 400 Robux (about £3.60) and was "distraught" over it. While this wasn't the first time his daughter accidentally purchased something in-game, this was the first issue she could easily replicate and bring to her dad's attention.
Roblox on Xbox has a problem. One that can be exploited to scam anyone, but particularly children, out of their money. On Xbox, the purchase confirmation button is bound to the A button, but the A button is also the jump button. As a result, accidental purchases are super easy. pic.twitter.com/fvet9R2qBe
— Wes 💙 Film|TV|Games|Footy (@wideawakewesley) January 11, 2021
How long has this issue been around?
In his Twitter thread, Wesley also points out details over the purchase pads, an object that players can walk onto to open up the purchase confirmation window, and brings up a page from the official Roblox developer forum which shows this exploit has been known for nearly a year. He also linked the following links showing the same or similar scams:
- A YouTube video from January 8 showing and talking about the exploit Wesley talked about.
- Two threads on Reddit (plus one he created himself to raise awareness), one of which describes a particularly predatory use of the exploit.
- A Polygon article from August 2019 which mentions a similar exploit, along with some drama with the game's teenage users.
This sort of exploit can also be an issue with honest game creators, who wind up making Robux due to accidental purchases caused by the game's poor design decision. After four attempts at contacting Roblox support (one of which came after his daughter was deceived by another exploit,) he had been given very little concrete help. The responses tell Wesley that Robux purchases are non-refundable and that these sorts of issues should be brought up to the developers of the individual games.
What are the Roblox company and Microsoft doing to fix this issue?
It's clear from the player testimonies that these sorts of exploitable design choices have been semi-public knowledge for a while now. TechRaptor contacted both the Roblox company and Microsoft about these exploits and what, if anything, they're doing to solve this issue or help affected users. A spokesperson from the Roblox company said:
We believe in offering players a transparent experience and have provided a full refund to the customer. We take appropriate action against any monetization tactic that violates our terms of use, and are actively improving our user interface to better prevent such tactics in the future.
Wesley added that the email sent to him by the Roblox company said that their confusion over the issue was that it was a problem with how the purchase was made through the Xbox platform, not an issue with the developer's product.
Wesley told us that he was "disappointed" with how the Roblox company handled the situation. He said he felt like they were either not listening to his points or willfully ignoring them. "I'm happy that they are at least now listening (or giving the pretense that they are), but ultimately I want the issue fixed, that's the most important thing for me. The Robux refund was a nice gesture, but that was secondary." For now, he told his daughter to avoid playing games with in-app purchases, and won't be buying her any Robux in the future because he doesn't trust the platform in its current state.
We reached out to Microsoft earlier this week, and they have not responded at this time.
