Why is TeleportService usable through the client [To teleport OTHER clients]?


#1

Hello!

Just was going through testing stuff recently with TeleportService, and just was wondering why is TeleportService able to be used on the client? This seems like a major oversight in terms of security. This means any place within a game (or any start place) can easily be accessible even if the developer doesn’t want the user there.

I know you can say

Well why does it matter? Just remove the places from the game so they don’t see it!

  • Well the problem with this is that you may have places dedicated towards people who own a gamepass or purchased access to it
  • You may want to be able to test a version of your game in nearly the same environment as the real game

and

Other than those problems above, why does this cause any issues?

  • I recently just tested to see if this was possible and it IS: A user can use THEIR client to teleport any other client to any other place (obviously following the teleport rules). This could become a problem if the right people find a good way to abuse it. This could lead many exploiters to teleport vulnerable users to inappropriate places.

There are more reasons but I feel these are good enough. Would love to hear other people’s viewpoints on why it SHOULD stay client-sided, but I feel as though everything you need to do with this service can easily be done on the server. Maybe there are back-end checks we don’t know about that resolve this issue? Not sure, just trying to get this across so we can be more secure :smile:

Thanks,
Dapale :slight_smile:


Is teleportservice totally client sided?
#2

Most likely you are able to teleport other people because the game is in experimental mode.

To teleport to a place, you need an ID, and it’s not really possible to get those if the place isn’t visible to anyone.


#3

I was ready to reply why we should have this, but then I realized it is teleporting other people though the client (maybe add that to the title). I use teleporting the host client during soft shutdowns, but I can’t see the use cases for teleporting other clients, experiemental mode or not.

If someone was planning to exploit this with a tool like Synapse, they probably have a tool to look through the client’s code to find where they get teleported, or just print the place id after teleporting. Ideally, you would add your own checks to make sure the player should be there.


#4

It is quite easy to find other places if you look hard enough. If you just find players and click on which game they are playing, you can easily get the placeId


#5

Yes, but it gives you the game and not the specific place, doesn’t it?


#6

I just rechecked with my friend, and it does in-fact show me the place in which they are in (not the start place)

START PLACE:

HOME PAGE:
image

PAGE DIRECTED TO WHEN CLICKING ON IT:

Not sure if this is a chrome extension or not, as I’ve experienced this for a LONG time