ROBLOX is vulnerable to session sidejacking #283
Description
At the moment, ROBLOX is vulnerable to session sidejacking: an attacker using packet sniffing (through a program like Firesheep or Wireshark) on the same network as a victim browsing the ROBLOX website logged in can, because no end-to-end encryption is used anywhere other than on the login and account pages, steal the session cookie of a user and use it to steal the user’s session.
This is a serious issue. It means that any malicious user of an open wifi network or of one using WEP (but not WPA or WPA2, since they isolate user sessions) can easily steal the session of any user sending a request to the ROBLOX website while logged in (i.e. anyone browsing ROBLOX’s website).
The only solution is to provide end-to-end encryption for the session cookie. This requires securing it with SSL/TLS, which in turn requires enabling and enforcing (through HSTS) the use of SSL/TLS for all requests to the website. The only other solution is to change the session cookie for every request, although a determined attacker could still, if acting faster than the user, steal his session by using the session cookie faster than him; in all cases, this is not a sufficient solution, so support (and enforcement) for HTTPS is necessary for all pages for which the .ROBLOSECURITY cookie is sent (i.e. all of www.roblox.com and similar websites).
In order to demonstrate this issue and how easy it is to exploit this security vulnerability, I have created a Firesheep handler, published on GitHub, that can be used with the Firesheep extension on any open wifi network to steal the session of any user logging in to ROBLOX. This is particularly an issue for users using ROBLOX in schools and members of a same family who use the same network.