Can a exploiter read/edit anything in my server storage if they have a backdoor?

Hello, could anybody tell me if an exploiter can see stuff in the server storage if they have a backdoor?

I’m very paranoid about backdoors, and I’m deciding whether or not I should put sensitive data in the server storage, as I do not want them to see the data and make an auto farm out of it.


With backdoors, they can read the scripts with some sorts of advanced exploits, but they can’t change scripts. Backdoors can change any part/model/any object.

So they can see any object in the server storage?

if you have a backdoor on the server, yes. They can see and change.


They can see items yes, they can also delete and disable. But they can’t change source code of scripts that are in there.

A backdoor on Roblox typically let’s them run code from the client or mess with things on the server side.
This does not mean however that they can change source code of scripts, as this property is too high of a security level and can only be changed from the command bar, plugins, and the Roblox Studio script editor.

Almost all the backdoors are plugins, so many backdoors can change the Source.

Can exploiters fire remote events and functions?

yes, exploiters may fire remote events, and backdoors may fire remote events.

Is it possible to check the name/ location of a LocalScript that fired a remote event/ function, or any requests from the client to change the state of the server?

Because if so maybe you could put a script in replicated storage that kicks the client if any LocalScripts that are not recognized by the game request a server change. Plus the server can see the clients replicated storage and can detect if someone is trying to bypass the security by deleting the script, or check if there are any scripts that aren’t supposed to be there.

I don’t think so. I think there was a Service but i don’t remember it’s name.

When you say “there was a Service” do you mean the service is now gone?

When did the service get repurposed?

The first parameter returned by RemoteEvent.OnServerEvent is always the player object of the client which triggered the event. The following parameters are then any arguments the LocalScript has attached.

OP is saying he wants to know if you can get the script that fired the event/function .

According to this post, the answer is no:

Hope that answers the right question this time.

1 Like

This is false. A backdoor is a server script which uses loadstring or a custom lua vm to run code the exploiter tells it to. The code still runs as a regular server script, and those cannot access the Source property.

1 Like

How do roblox lua executors even work anyway? Where do scripts get stored? Do they even get put on the player’s client or do they run off the lua executor?

1 Like

You can send that information when firing the remote event, but hackers / exploiters can change what gets sent to the server from their own client. And quite literallylie.

Do you mean how exploits work?

1 Like

Yep, like where the script is stored. Not like it’s gonna be useful information (for now) as if a remote event / function is fired, the game gives no information about which script fires it.