As VizuSR and omnerisk have said, it’s because of a packet vulnerability used with workspace:BreakJoints().
I highly doubt that this particular exploit is a vulnerability in Roblox’s infrastructure, as if it was, there would be way more reports of people bypassing FilteringEnabled. All I can find are reports of DDoS attacks, which are bad but unrelated to this exploit. All I can say is to keep looking for vulnerabilities in your code.
I’m not exactly sure of how it works, but it’s a vulnerability in Raknet, which ROBLOX uses for sending packets. I believe if 3 people have said this, it should be pretty transparent that it isn’t a backdoor.
Unless there’s something other than require or getfenv, or some complicated way to hide them, it’s doubtful that there’s a backdoor, alongside the fact that this isn’t just a bunch of script kiddies joining, but rather a friend group of exploiters who are just trolls, doing it just to be annoying, for their own amusement.
I’ve only seen 2 people say it has to do with Raknet, neither of which have cited any sources. The literal only way for this to happen is if there is a backdoor. Assuming you’ve checked all your scripts, I would go through literally all of your plugins and check that each one is 100% legit.
4, actually; 2 outside of roblox, both of which are exploiters that know some about the exploit itself.
I’ve checked my plugins, too. They’re legit.
This is all very strange. I mean, nobody has ever brought up an issue like this before, it seems so weird that it’s somehow only come up now.
Though, I still don’t fully believe this is an exploit with Roblox’s netcode. Why isn’t this happening to other games? If the answer was larger games would persuade Roblox to fix the bug, it wouldn’t make sense since smaller games can still find a way to get to Roblox, maybe someone more experienced can report this on Roblox’s HackerOne.
Anyway, you could (@scaryhoursthree/@KlaarV) make a bug report in #bug-reports:engine-bugs, or try what this guy did if you don’t have the permissions.
Edit: Try PMing @Bug-Support instead!
How do you know it’s related to :BreakJoints? If you asked an exploiter, they could have just thrown you a red-herring.
You could possible gather more information on the exploit by publishing an update and having the server check the network ownership of things in the workspace, notifying developers in the server of something fishy, maybe even a possible patch by banning players that have ownership of things other than their characters (though you should properly test this out - maybe get an exploiter to see if it works).
Of course, it’s still very hard to give advice on something you know very little about - I still recommend you use a backdoor removal plugin just to be safe. Check through any modules you’re using, maybe one of them nullifies FE in some way.
Probably a better idea.
3 Likes
I’m with you on this one. If something like this actually existed, it would be way more prominent. Plus, and this is not meant to offend anyone, but people often misunderstand the nature of code and how backdoors work. People say they’ve seen things, but they often don’t actually understand how it happened.
Unless you’ve written all of your code or have read every script in your game and fully understand them, then I would first suspect a backdoor. As others have said, plugins can be malicious, however plugins can’t (as far as I’m aware) insert anything right as you publish an update. The script has to “physically” exist within the explorer in order to function.
Now if this is 100% not a backdoor and is indeed something else, I have not been able to find a single valid source on this. The only one I could find was a video, and it was a backdoor. So if anyone has any actual evidence of this, please source it and report it through the proper channels.
I’ve gathered my info from a certain prominent exploiting forum (you can probably guess what I’m talking about), where multiple people were discussing this new exploiting method involving packets. Not sure if you’d count that as a “credible source” but whatever. I’m not sure if BreakJoints() is the culprit here but I have heard about people being able to delete the workspace as a result of this exploit, so make of that what you will.
I appreciate you linking my reply, but I wouldn’t recommend using my method given I’m not positive its not against the rules. You should PM @Bug-Support instead.
1 Like
I’m fairly certain the source code for :BreakJoints() has to exist in some repository of some kind. That would offer fairly conclusive proof as to whether this is an issue or not.
ok but do you think roblox actually codes securely
Well, there is actually nothing we can do against the exploiters except punishing them, but it’s like really late when we find them out and punish them because they have probably done their purposes
This is not the recent exploit that deleted stuff from the workspace.
You should look for vulnerable Remote*, they are the main cause of vulnerabilities in games, to maybe make your search easier, check for code that destroys instances.
For curious people:
The recent instance destroy vulnerability used Humanoid’s internal event named ServerEquipTool, which parented anything to your character without any checks whatsoever and as any developer would know, stuff that you destroy on your character, replicates.
1 Like
This isn’t happening to larger games because it is a private exploit.
Few people have access to it. The group of people with access to the exploit have no interest in using it on larger games, I suppose (although apparently Rogue Lineage has it patched (I’m not entirely sure), but the people related with it seem to have played Rogue prior.)
I’m sure it’s related to BreakJoints() because the exploiter whom told me was not the only exploiter who told me; a friend of mine has heard of the exploit before too.
The only module I’m using is rather short, and is safe. I read through it.
@MightyDantheman I’ve read through every one of the scripts in my game. They’re all made by me or one of my friends. I check things once they’re added. (well, there’s one other script, but it’s short and I have read through it, as I have previously mentioned)
There are no 100% valid sources, but considering it’s a private exploit, and uses a similar method to server crashing, it’s very very possible, and that’s what it seems to be.
@PerilousPanther wdym? i’m not great with terminology
Their screwing with you. I have tried every method to attempt to bypass Filtering Enabled using BreakJoints and have not found a method, but I’m also not the best scripter.
You’re talking how your friends are exploiters (which is just you telling on yourself that you have friends that are exploiters, but not reporting them) and yet your scripts are made by you or your “friends” which who could have placed a backdoor and is covering it up with something that breaks joints.
AS I SAID BEFORE. It could also be a Plugin you have installed that puts the script in the game when you upload the game and deletes it after upload, which is a backdoor. Check up on your plugins and make sure their made by legit creators. Even searching for GetFenv or Require is not a good way to find backdoors. People obfuscate backdoor code nowadays using Hex to confuse New users.
1 Like
I can assure you it is NOT a backdoor.
I’ve been looking for sanity checks and I’ve found one mistake in it, but I can’t seem to solve another thing.
Raknet is mentioned a lot in a (well known exploiting forum, don’t think it should be mentioned by name here) and is supposedly going to have a library to be used in Synapse 3. I’m not sure how reliable this is, but considering how well it is known it is likely.
That private exploit is patched, it’s game specific.
:BreakJoints() is a built-in API function, it’s probably implemented directly in the engine. I doubt Roblox open-sources parts of their C++ code, I don’t know where you’re getting this “repository” idea, since probably only employees would have access to the code.
If they didn’t then exploits like this would be far more common, if Roblox didn’t give a quack about security and put the client in charge of everything, someone could literally just turn off all their servers. It’s not feasible to run a platform at this scale without programming secure code.
A lot of back end Roblox code is on GitHub. A lot is posted by Roblox itself, most is through various leaks in the past and a fair amount is just reconstructed by community members.
It is? Do you know what might make some games vulnerable over others?