A way to track players across accounts

This should have a relatively high priority for being fixed. The fact that fingerprinting for Roblox is possible is worrying enough, and now that someone has actually done it blows my mind. Well done on this!

In my opinion, it shouldn’t be patched but needs to be regulated. For example, games need to put in the description of there game that they’re tracking user’s alt accounts for however long they retain the data. Some regulations could be:

1. the data mustn’t leave Roblox (no discord webhooks, external servers, etc)
2. the data must be deleted if the developer recieves a right to be forgotten request
3. the data can only be used to prevent exploiters/game rule breaks (such as trollers)
4. the data can’t be shared with anyone.
5. the data can only be stored for a maximum of 30 days and can only be stored once they’re banned.

This is my own opinion and I don’t work for roblox.

This may be against some privacy rules, but it would be really useful to make a great anti cheat.

Do you think it would be a bad idea to log that to an ordered datastore like that:

1. The datastore name is the timestamp the player started their cpu
2. you save a table containing the players timezone, selected language at the roblox website and maybe some additional data so lower the chance of false positives
3. if your anticheat detects someone hacking, get the keys with his cpu start time and ban all of them
4. save the cpu starting times in a normal datastore and remove them after a week (cause its unlikely that someone is gonna leave their pc running for more than a week and be exploiting at the same time)

do you think that would be against roblox TOS?

It would have been great if roblox creates IDs for specific emails then let devs have access to said IDs so that we can ban players whereas they create alts with their email. But as a security measure, we’ll have to make our games only accessible to players with email addresses.

You can easily create more e-mail accounts or use some temp mail.

I think it shouldn’t be against TOS, but it’s in a gray area so you probably should be careful.

true true, but tracking the player this way is as easy as switching devices.

I would advise against giving an anti-cheat banning capabilities. Things like lag spikes and glitches often trigger the anti-cheats; this isn’t so bad if your character is just reset.

You can make a basic anti cheat that detects things like Darkdex, infinite Yield etc, these things cant be caused by accident

I fail to see how this is an invasion of privacy and how it could possibly be harmful to someone.

You simply know two or more accounts are possibly using the same device as they have the same properties and you want to ban that behaviour from your game.

I believe this discovery is great and I hope it stays untouched for days to come as it is very useful. A recent community has used this method to ban multiple alt accounts at once, most of them identified to be using exploits that are in violation of the Roblox TOS.

The only people this could cause harm to are the wrong doers who will protest against this feature with all their hearts. I find this to be one of the greatest steps towards anti-exploits.

Putting invasion of privacy aside, you shouldn’t be using such an unintended functionality to keep exploiters out anyways. If a game has to literally track its players just to stop cheaters, then the developers should probably crack down on securing their server-client model instead!

Furthermore, the method in question can absolutely be bypassed and possibly even abused. All the identifiers required for this method to work are completely reliant on the client’s data and any competent cheater can easily forge it to either bypass it or even maliciously flag others.

In short, yes, it’s a cool discovery, and yes you could get away with using this in your game, but you shouldn’t because it’s virtually useless against exploiters and, to an extent, exposes a severe vulnerability in your networking model.

I’m curious how much this actually narrows down players. Other than CPU start time potentially, I can’t see the others helping narrow down that much. I suspect there would be many people with the same generated hash, especially at a large scale.

It might be cool if this was combined with join and leave times (so, for example, an exploiter is caught, leaves, then for a few mins the game checks for matching new users that might be alts).

I would be very interested in seeing some data on what percentage of users have matching hashes if anyone has some.

PSA

In the client start tracking os.clock() from the start of the game
keep this tracking in a important place so exploiters cant destroy the script
Keep track of how it changes and if it becomes suddenly off by the original amount you have found an exploiter now you need to figure out how to punish them best way would be hiding it in a remote event and firing it in a non sus way and connect to it on the server and after that
You created a 100% Accurate way to prevent modification of os.clock() unless they run the script soon as they join and that is almost never done

A lot of people who exploit do not know how to script at all and after you ban them they usually just come back on an alt. This indeed works very well when detecting alt accounts from accounts that have been previously flagged for exploiting. Just because some people can bypass it does not mean it is totally useless.

The possibility of people turning on their computer at the exact same time frame, restarting it at the same time, matching all the properties + an innocent player matching with a flagged player is very slim.

bypassable ~= virtually useless (lmao i use ~= instead of ≠)

yeah but seriously, how can this “eXpOse a SeVeRE vuLNeRaBiLiTy”? exploiters track players across accounts? oh no, how will they know my alts!! its essentially all my personal info and address but even worse!

ok but even if this vulnerability does exist, it’s a non issue and quite the contrary of severe. it’s ignorable. i’m tired of people thinking that bypassable is useless. most exploiters dont even know this vulnerability exists. it doesn’t open any vulnerabilities (if it does, it’s minimal and doesnt matter no matter what you say) and it takes 5 seconds to put into your game and helps MASSIVELY. no downsides.

i’m TIRED of people saying “useless” and “developers should work on securing their game”. what if, they already have a secure game, and it’s bypassable no matter what because no matter what you do exploiters can get past it, this is just a big extra layer of security that helps. JUST BECAUSE you have good security doesn’t mean you can’t add stuff like this.

Securing your server-client model doesn’t do much to stop exploiters nowadays. Most exploiters are kids who don’t know a lot about programming & cybersecurity. Banning their main & alt accounts is a upgrade for many developers looking to secure their games. Yeah yeah, the anti-alt system can cause false positives, but still, this stops a ton of unexperienced exploiters.

Execute on attach

hookfunction(os.clock, function(original)
return original() + 1
end)

Again, this is pretty much ignorable. There’s not much reason to break ToS with a method like this, when the bypass is as simple as that. It’s a cool idea, but there’s unfortunately not much use-case against exploiters.

If you really want to deal with exploiters, get an actual anticheat. Not that hard.

Could you just check HWID?
I don’t know…

You can’t get a hardware ID through Roblox’s current API, probably the most low-level thing you can get is CPU time, which this post already demonstrates.