BreakJoints() Vulnerability

I appreciate you linking my reply, but I wouldn’t recommend using my method given I’m not positive its not against the rules. You should PM @Bug-Support instead.

1 Like

I’m fairly certain the source code for :BreakJoints() has to exist in some repository of some kind. That would offer fairly conclusive proof as to whether this is an issue or not.

ok but do you think roblox actually codes securely

Well, there is actually nothing we can do against the exploiters except punishing them, but it’s like really late when we find them out and punish them because they have probably done their purposes

This is not the recent exploit that deleted stuff from the workspace.
You should look for vulnerable Remote*, they are the main cause of vulnerabilities in games, to maybe make your search easier, check for code that destroys instances.


For curious people:
The recent instance destroy vulnerability used Humanoid’s internal event named ServerEquipTool, which parented anything to your character without any checks whatsoever and as any developer would know, stuff that you destroy on your character, replicates.

1 Like

This isn’t happening to larger games because it is a private exploit.
Few people have access to it. The group of people with access to the exploit have no interest in using it on larger games, I suppose (although apparently Rogue Lineage has it patched (I’m not entirely sure), but the people related with it seem to have played Rogue prior.)

I’m sure it’s related to BreakJoints() because the exploiter whom told me was not the only exploiter who told me; a friend of mine has heard of the exploit before too.

The only module I’m using is rather short, and is safe. I read through it.

@MightyDantheman I’ve read through every one of the scripts in my game. They’re all made by me or one of my friends. I check things once they’re added. (well, there’s one other script, but it’s short and I have read through it, as I have previously mentioned)
There are no 100% valid sources, but considering it’s a private exploit, and uses a similar method to server crashing, it’s very very possible, and that’s what it seems to be.

@PerilousPanther wdym? i’m not great with terminology

Their screwing with you. I have tried every method to attempt to bypass Filtering Enabled using BreakJoints and have not found a method, but I’m also not the best scripter.

You’re talking how your friends are exploiters (which is just you telling on yourself that you have friends that are exploiters, but not reporting them) and yet your scripts are made by you or your “friends” which who could have placed a backdoor and is covering it up with something that breaks joints.

AS I SAID BEFORE. It could also be a Plugin you have installed that puts the script in the game when you upload the game and deletes it after upload, which is a backdoor. Check up on your plugins and make sure their made by legit creators. Even searching for GetFenv or Require is not a good way to find backdoors. People obfuscate backdoor code nowadays using Hex to confuse New users.

1 Like

I can assure you it is NOT a backdoor.
I’ve been looking for sanity checks and I’ve found one mistake in it, but I can’t seem to solve another thing.
Raknet is mentioned a lot in a (well known exploiting forum, don’t think it should be mentioned by name here) and is supposedly going to have a library to be used in Synapse 3. I’m not sure how reliable this is, but considering how well it is known it is likely.

That private exploit is patched, it’s game specific.

:BreakJoints() is a built-in API function, it’s probably implemented directly in the engine. I doubt Roblox open-sources parts of their C++ code, I don’t know where you’re getting this “repository” idea, since probably only employees would have access to the code.

If they didn’t then exploits like this would be far more common, if Roblox didn’t give a quack about security and put the client in charge of everything, someone could literally just turn off all their servers. It’s not feasible to run a platform at this scale without programming secure code.

A lot of back end Roblox code is on GitHub. A lot is posted by Roblox itself, most is through various leaks in the past and a fair amount is just reconstructed by community members.

It is? Do you know what might make some games vulnerable over others?

Alright, I’ve looked into it a bit more and it does appear to be quite worrying. I hope Roblox can deal with this as quickly as they can.

(Although I don’t know if BreakJoints() has anything to do with that specifically.)

whats worrying is touching a lava part and getting your joints broken :cold_sweat:

Has this been solved yet? @cpguy5089, no as the OP mentioned, there’s no backdoors on his game.
It’s an hidden event called “ServerEquipTool”.
What it does?
After calling the event via an exploit, it’ll parent a part and after the part has been parented to your character, you can gain network ownership, it’s kind of like how ‘Humanoid removing/replication’ was back then/there in 2017.
(After equipping tool’s, 'n such).
Anyways hope this solves your issue. Sorry for necroposting!
Here’s the ‘ServerEquipTool’, it’s apart of Humanoid.


It’s normally for a tool instance, but they reverted that now for only tool instance (it could be used for part, anything) but they fixed that now.

2 Likes