A way to track players across accounts

You can make a basic anti cheat that detects things like Darkdex, infinite Yield etc, these things cant be caused by accident

I fail to see how this is an invasion of privacy and how it could possibly be harmful to someone.

You simply know two or more accounts are possibly using the same device as they have the same properties and you want to ban that behaviour from your game.

I believe this discovery is great and I hope it stays untouched for days to come as it is very useful. A recent community has used this method to ban multiple alt accounts at once, most of them identified to be using exploits that are in violation of the Roblox TOS.

The only people this could cause harm to are the wrong doers who will protest against this feature with all their hearts. I find this to be one of the greatest steps towards anti-exploits.

Putting invasion of privacy aside, you shouldn’t be using such an unintended functionality to keep exploiters out anyways. If a game has to literally track its players just to stop cheaters, then the developers should probably crack down on securing their server-client model instead!

Furthermore, the method in question can absolutely be bypassed and possibly even abused. All the identifiers required for this method to work are completely reliant on the client’s data and any competent cheater can easily forge it to either bypass it or even maliciously flag others.

In short, yes, it’s a cool discovery, and yes you could get away with using this in your game, but you shouldn’t because it’s virtually useless against exploiters and, to an extent, exposes a severe vulnerability in your networking model.

I’m curious how much this actually narrows down players. Other than CPU start time potentially, I can’t see the others helping narrow down that much. I suspect there would be many people with the same generated hash, especially at a large scale.

It might be cool if this was combined with join and leave times (so, for example, an exploiter is caught, leaves, then for a few mins the game checks for matching new users that might be alts).

I would be very interested in seeing some data on what percentage of users have matching hashes if anyone has some.

PSA

In the client start tracking os.clock() from the start of the game
keep this tracking in a important place so exploiters cant destroy the script
Keep track of how it changes and if it becomes suddenly off by the original amount you have found an exploiter now you need to figure out how to punish them best way would be hiding it in a remote event and firing it in a non sus way and connect to it on the server and after that
You created a 100% Accurate way to prevent modification of os.clock() unless they run the script soon as they join and that is almost never done

A lot of people who exploit do not know how to script at all and after you ban them they usually just come back on an alt. This indeed works very well when detecting alt accounts from accounts that have been previously flagged for exploiting. Just because some people can bypass it does not mean it is totally useless.

The possibility of people turning on their computer at the exact same time frame, restarting it at the same time, matching all the properties + an innocent player matching with a flagged player is very slim.

bypassable ~= virtually useless (lmao i use ~= instead of ≠)

yeah but seriously, how can this “eXpOse a SeVeRE vuLNeRaBiLiTy”? exploiters track players across accounts? oh no, how will they know my alts!! its essentially all my personal info and address but even worse!

ok but even if this vulnerability does exist, it’s a non issue and quite the contrary of severe. it’s ignorable. i’m tired of people thinking that bypassable is useless. most exploiters dont even know this vulnerability exists. it doesn’t open any vulnerabilities (if it does, it’s minimal and doesnt matter no matter what you say) and it takes 5 seconds to put into your game and helps MASSIVELY. no downsides.

i’m TIRED of people saying “useless” and “developers should work on securing their game”. what if, they already have a secure game, and it’s bypassable no matter what because no matter what you do exploiters can get past it, this is just a big extra layer of security that helps. JUST BECAUSE you have good security doesn’t mean you can’t add stuff like this.

Securing your server-client model doesn’t do much to stop exploiters nowadays. Most exploiters are kids who don’t know a lot about programming & cybersecurity. Banning their main & alt accounts is a upgrade for many developers looking to secure their games. Yeah yeah, the anti-alt system can cause false positives, but still, this stops a ton of unexperienced exploiters.

Execute on attach

hookfunction(os.clock, function(original)
return original() + 1
end)

Again, this is pretty much ignorable. There’s not much reason to break ToS with a method like this, when the bypass is as simple as that. It’s a cool idea, but there’s unfortunately not much use-case against exploiters.

If you really want to deal with exploiters, get an actual anticheat. Not that hard.

Could you just check HWID?
I don’t know…

You can’t get a hardware ID through Roblox’s current API, probably the most low-level thing you can get is CPU time, which this post already demonstrates.

This can be bypassed.

local RandomInfo = {
   Timezones = {
       [1] = 'Eastern Daylight Time';
       [2] = 'Central Daylight Time';
       [3] = 'Mountain Daylight Time';
       [4] = 'Pacific Daylight Time';
   };
   
   DaylightSavings = {
       [1] = true;
       [2] = false;
   }
}

local oldnamecall; oldnamecall = hookmetamethod(game, "__namecall", function(self, ...)
   local args = {...}
   local method = getnamecallmethod()

   if self == game.GetService(game, "HttpService") and method == 'JSONEncode' then
       local Table = args[1]
       if Table then

           if rawget(Table, time) then
               rawset(Table.time, cpuStart, math.random())
           end

           if not rawget(Table, time) then
               for i,v in pairs(Table) do
                   if type(v) == "table" then
                       for I,V in pairs(v) do
                           if V == os.date("%Z") or V == os.date("*t").isdst then
                               return '{'..math.random()..'}'
                           end
                       end
                   end


                   if v == os.date("%Z") or v == os.date("*t").isdst then
                       return '{'..math.random()..'}'
                   end
               end
           end
       end
   end

   return oldnamecall(self, unpack(args))
end)


local OldDate; OldDate = hookfunction(os.date, newcclosure(function(k)
   if k == '%Z' then
       return RandomInfo.Timezones[math.random(1, #RandomInfo.Timezones)]
   end

   if k == '*t' then
       return rawset(OldDate(k), 'isdst', RandomInfo.DaylightSavings[math.random(1, #RandomInfo.DaylightSavings)])
   end

   return OldDate(k)
end))```

An improved version of this came out way before this thread was even made. Was about a year earlier.

https://devforum.roblox.com/t/roblox-fingerprinting-it-s-possible-now/1369449/67

The thread has long been deleted. The game for it still exists tho.

Couldn’t a hacker just reboot their computer to reset the clock to bypass this detection?

This is… Quite interesting. I have a few questions that I’m sure could be cleared up, but regarding all the legality and ethical morals here: I made a request to roblox support with a detailed description of the method, asking whether roblox officially allows tracking data. I’ll get back here when I get a response, but I’m not planning on using this until I do.

Very cool though.

If they give you an answer it would be appreciated if you share it with us, I’m also thinking on adding this (as my games are usually attempted to be exploited) but I’m concerned for this to be banneable.

Since roblox support is not giving me a straight answer, I’ve decided to research the ToS.

Here’s the ToS rundown. (not legal, i’m not a lawyer, if this illegal, then sucks for you)

Roblox ToS states the following:

With respect to an Experience created by a Creator, Creator and Roblox both have the right to use data related to or obtained in connection with that Experience for their respective legitimate internal business purposes to support the Experience and for business analytics, such as: (i) for the improvement and development of the Experience; (ii) to comply with applicable laws (including law enforcement requests); (iii) to ensure the security of the Experience; and, (iv) to prevent fraud or mitigate risk. Creator agrees that, except as expressly set forth in these Creator Terms, Creator will not use or disclose any User data.

Citation: https://en.help.roblox.com/hc/en-us/articles/115004647846#creator-terms Part 10.A

Roblox TOS states that you can use data for “internal buisness purposes to support Experience and for buisness analytics”. If I’m interpreting it correctly, it only states the reasons “(i) for the improvement and development of the Experience; (ii) to comply with applicable laws (including law enforcement requests); (iii) to ensure the security of the Experience; and, (iv) to prevent fraud or mitigate risk” after buisness analytics, meaning you can also use that information for those reasons. From this, it looks like this behavior would be allowed. Yet, it states, “Creator agrees that, except as expressly set forth in these Creator Terms, Creator will not use or disclose any User data.” So, if it can be understood, you can use this under the “A (III), to ensure the security of the experience.”

Not done yet, listen up: Main issue is below.

With respect to the personal information of Users (“User PII”) (if and to the extent received by Creator), Creator will not (i) use User PII to provide services to any third party; (ii) use User PII to build, help build, track or supplement any segments, profiles, or similar records on any individual User, device, or browser across the Roblox platform or across any third party websites or platforms; (iii) use User PII to associate the behavior of any individual device, or browser with any segment, profile, or similar record, or supplement any such record based on data of Users; (iv) use User PII to associate any data of Users with any other personal information of the User; (v) sell, disclose, share, rent, lease, syndicate, modify, reverse engineer, decompile, lend, or otherwise alter any User PII; (vi) use User PII for any unauthorized purpose in violation of any applicable law, including applicable privacy laws, or for any unauthorized purpose.

Citation: https://en.help.roblox.com/hc/en-us/articles/115004647846#creator-terms Part 10.B

Roblox defines User PII as: “The personally identifiable information of Users.” (You can find this by hovering over the green underlined term in the ToS). Considering the fact that it is saved as a fingerprint, which is identifiable to the computer, (specifically an SHA1 hash), this can be considered personally identifiable. This is assuming that when it states “Users” in the User PII definition, this refers to their account. (Hence you can use that information to identify their account). Now we know that this is considered User PII, we can see if it violates any of the specific use cases. B.(II) states: “[Creator will not] use User PII to build, help build, track or supplement any segments, profiles, or similar records on any individual User, device, or browser across the Roblox platform or across any third party websites or platforms;” From my personal interpretation, this use of data could be considered tracking accounts, as this is whole thing is about tracking accounts and alt accounts.

So hence, because of Use Case (II), I don’t think this would be allowed.

Summary:
While you could use data to protect your experience, collecting personally identifiable information to track users is against the TOS.

Use this at your own risk.

(Wanted to be notified): @Haxonium

hook function or simply restarting your computer could bypass, which will lead to major security issues.

Well I mean I guess it was mainly going to be issue, guess theres no other way than just not using it then, thank you man!