A way to track players across accounts

Just said it out of rage, because when i saw this epic tracking method, someone mentioned its against tos, it annoys me too

It is, check the post above you.
Plus, you technically forced the user to share it with you.

Correct me if I’m wrong, but I’m pretty sure this reads the “up time” which might be able to be spoofed if you’re using a VM.

Since exploiters are already modifying the client, they may be able to directly spoof os.clock. I doubt that an average kid would be able to figure out how, but the exploit developers who allow others to buy their code probably would invest a lot of time into figuring this out.

With simple trial and error, even somebody who had no idea what this system is or how it works would probably figure out that they simply need to restart their PC to get a fresh identifier and evade detection.

I can see this method having a lifespan of anywhere from roughly a day to about a month before becoming irrelevant.

then again I’m not too experienced with this stuff, I may be wrong. if you find anything wrong here, let me know.

Atleast it could get rid of trolls which dont use exploiters.

This is very interesting but I am pretty sure this would need to run on the client so the usual problem of exploiters deleting the script would apply

There is a function called elapsedTime() that does this

It’s possible to pull much much more data out of the client.
Removed the example picture of getting more data due to not wanting to leak the methods

However I’m pretty sure this is againts the TOS. This is definetly againts the European Unions GDPR law https://gdpr.eu/ and possibly COPPA and other such laws too. So it’s in a legal grey area at best, and large parts of the world illegal.

Another thing is that spoofers exist for the data, all one needs an exploit to spoof this. Or heck, they can literallly just change their PC settings.

Combined with a database the links between accounts could be saved. Only a single account would need to be identified and all other related accounts could be found. I’m aware of exploiters being able to spoof all data points as this post is meant to warn of misuse on innocent players.

Example below detailing how accounts could be linked together and how a user could avoid detection.

image1207×455 80.3 KB

One doesn’t need an exploit to spoof the datapoints. All one has to do is change a few windows settings.

Your average player would most likely not even be aware that they were being tracked and as a result not do that. Plus you can select settings less likely to be changed such as the system language or timezone.

Funfact is also possible to make a script that calculates the physical real life position of a player to a very good degree, it only works on devices with accelerometers and gyroscopes however. But it allows getting a lot of data, possibly even things like the structure of the house a user lives in, spooky stuff.

I don’t see the issue with this. All you know from this info is that two accounts are owned by the same individual. It’s not as if you can possibly track that individual down like you could with an IP. Correct me if I am wrong though.

Besides that point, I think this is pretty clever and cool!

From a lot of people’s pov, this wouldn’t be considered a violation of privacy, considering the minor and insignificant data that you’re given the ability to access.

The most harmful thing you could get from this is someone’s timezone, and how long their cpu has been running for. Unless you consider being able to tell if someone’s on mobile or not a privacy violation.

Aside from this being a breach of privacy, was any testing done on this? I setup a little project because I wanted to see for myself if this was actually viable and it appears to not work outside of Roblox Studio.

Edit: Nevermind, I forgot that Discord doesn’t allow API calls from Roblox IP’s.

I ran some tests because I was curious about how reliable it is and after messing with a few items it has shown results. I am aware it may be a privacy concern but all websites (to some extent) fingerprint users without their permission. There is always an option to have people accept to the games privacy terms else they can not play and if we really want to push then technically Roblox user IDs are classified as Unique identifiers.

Yep, literally anything on the client that carries over across sessions which can be read by scripts can be used to form a fingerprint on users. This includes:

• The first 5 data points listed in the thread.
• The user’s settings (mouse sensitivity, volume, etc)
• The user’s resolution / screen size.
• The user’s country.

Even just ignoring os.clock() by itself, there are numerous, numerous things you could use to build up a fingerprint on a user. Anything single thing that is saved on the client or persistent across sessions can be used.

So yeah, this is bad for numerous reasons that shouldn’t have to be explained, but simply changing os.clock() won’t outright stop this, in fact there is no way to completely patch this out. Roblox will have to take matters into their own hands and start taking moderation action against games that employ this.

No, what if on the game you own you just make a pop up appear on the first join with conditions of usage of your game, you put alot of thing and you add somewhere “By accepting you allow us to track and share your alt accounts”

99% of people with just accept without reading, so actually they were not forced to share

This. is. GENIUS.

By far my favorite resource that I’ve ever seen on the DevForum.

I’ve always had a love for cybersecurity and this totally blows me away.

Although there are lots of concerns on privacy from others, I can definitely see this find as a great step forward towards anti-exploits.

You might think that it’ll work… but

And a lot of people just accept the Roblox ToS without reading, remember no using player’s personal data?

You can’t use exploiters, you meant exploits?
Banning trollers is a bit harsh, plus, look at Frappé Cafe