⚠️ Cetus Security update

Last updated: 9 months ago

Severity: High

Security update

A premade Cetus game, the promotion centre, has a security vulnerability. Here is what you need to know.

What’s affected?

The Cetus Promotion centre (Here)

If you are using this place or any of the code within it, you are likely affected.

How do I fix it?

To fix, update to the Latest release.

It is also strongly advised that you reset your API keys if you think one has been compromised as a result.

I’ve customised my centre, what can I do?

If you have NOT modified the MainModule file (you probably have not), replace the ModuleScript ServerScriptService > Main > MainModule with the content here

I’ve edited the MainModule file

If you are running a custom variant of this base code, browse to the script in ServerScriptService > Main > MainModule.

  • Browse to line 107
  • Remove the code within the callback (after RankGet)
  • Insert the following code AFTER the RankGet call, on line 108:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
if table.find(promoRanks, newRank) ~= nil then
local ranked = self.http:setRank(Player.UserId, newRank)
loadingScreen.hide()
if ranked.error then
Misc:displayError(Player, "Failed to rank you.", true)
else
Misc:displayMessage(Player, "Successfully ranked to "..newName, true)
end
wait(30)
Player:Kick("Done")
return;
end
warn("ILLEGAL RANK SUPPLIED")
Player:Kick("Illegal rank supplied: This incident will be reported.")

I need help!

We are happy to help fix this issue. Join the discord

What is the vulnerability?

First, a quick history lesson.
The core of the Promotion centre code is heavily based upon promotion software I made previously. It uses an open source UI framework called ‘RoStrap’.

These days, RoStrap is no longer maintained - but that is not the source of this issue. The Module relies on a “ChoicePrompt” which lets the user choose one of several rank options.
When this module was originally written it was presumed that RoStrap validated the return result from this call - it does not.

So this was an open remote in disguise, and although we were never directly interacting with remote functions this allowed a malicious user to effectively choose any rank in the group and recieve it using exploits.
This is fixed by validating the return result against the allowed ranks and rejecting it if they try to gain a rank they are not due.

What have you done about this?

We understand you may feel you can no longer trust us after this incident. We want to assure you that your group is now secure.
As soon as we became aware of a potential security issue, we brought our systems offline and triggered one of our security fallbacks.
This means that all of our Roblox bot users had their cookie rotated - in-case this was the source of the issue. This means the time your group was at risk was minimised as much as possible.

We then quickly located the cause and have now released this fix. We’re happy to discuss any concerns you may have, in our discord.


If you'd like to republish the contents of this post, please get in touch.