Just was going through testing stuff recently with TeleportService, and just was wondering why is TeleportService able to be used on the client? This seems like a major oversight in terms of security. This means any place within a game (or any start place) can easily be accessible even if the developer doesn’t want the user there.
I know you can say
Well why does it matter? Just remove the places from the game so they don’t see it!
- Well the problem with this is that you may have places dedicated towards people who own a gamepass or purchased access to it
- You may want to be able to test a version of your game in nearly the same environment as the real game
Other than those problems above, why does this cause any issues?
- I recently just tested to see if this was possible and it IS: A user can use THEIR client to teleport any other client to any other place (obviously following the teleport rules). This could become a problem if the right people find a good way to abuse it. This could lead many exploiters to teleport vulnerable users to inappropriate places.
There are more reasons but I feel these are good enough. Would love to hear other people’s viewpoints on why it SHOULD stay client-sided, but I feel as though everything you need to do with this service can easily be done on the server. Maybe there are back-end checks we don’t know about that resolve this issue? Not sure, just trying to get this across so we can be more secure