Invisible Threats in the Met-Averse: Investigating Roblox’s Security Vulnerabilities

• Jingqing Liu, Computer Science, University of Delaware

• Xing Gao, Department of Computer and Information Sciences, University of Delaware

Meta-universe gaming, represented by platforms such as Roblox, is at the forefront of the gaming industry. These platforms provide a virtual world that offers users an engaging experience that can be created and interacted with on demand. Despite these platforms’ tremendous progress, they are still susceptible to malicious exploitation, posing severe security concerns. Roblox is one of the leading meta-universe gaming platforms, and this study explores its security vulnerabilities. The study highlights how Roblox’s infrastructure circumvents firewall restrictions, providing a hidden route for unauthorized network connection. This study also explores the possibility of misusing Roblox’s distributed resources for cost-effective neural network training. These malicious activities can then be hidden from normal gaming activities without the user’s awareness, unknowingly causing unintended harm. The investigation uncovered two noteworthy vulnerabilities. First, Roblox can indeed be manipulated by local malware to launch connections or open web pages in-game, thereby bypassing traditional security measures. Second, Roblox’s distributed computing resources can be used for resource-intensive tasks such as neural network training. Given Roblox’s relatively young user base, this exposed vulnerability could have a particularly damaging impact, potentially spreading harmful information or links that could threaten user security. This study emphasizes that metaverse gaming platforms, especially those targeting younger audiences, need to adopt strong security measures and must continuously improve them to ensure a safe gaming environment, prevent misuse of the platform’s computational resources and disseminate potentially harmful content to protect users, especially children, from potential harm. Finally, we propose several policies for metaverse gaming platforms to protect their valuable computing resources from malicious exploitation.