Currently Glitch stores user token in LocalStorage which creates security vulnerability where an attacker can create a code or extension to steal it without user’s notice and be able to perform some actions that user would not like. In a conclusion Glitch should store user token in Cookie instead with Secure, SameSite and HttpOnly flags, which will make stealing user token a lot harder.
You also could make a script which collects cookies and sends it to a server which people will auctally do (hence everyone complaining about their robux/accounts being stolen)
There is a tutorial for that which Blogger (a.k.a Google) refused to take down.
Basically you could get cookies and fetch them to a server using JavaScript. Which has happened and people fall for it daily.