Can another player see another players GUI through exploiting?

frrazers · December 7, 2020, 3:31pm

Orange is player 1, blue is player 2, white is the server connecting to the client, and the green is the server

So, can orange see blue’s GUI by just going around the server (As seen in example)?

Most likely thing to happen

(They can’t view eachother directly)

Or

What could happen

(They can view eachother.)

So, could the exploiter do… (For example)

local Target = game.Players["TARGET NAME"]
local TargetGUI = Target.PlayerGui["GUI NAME"]
local YourName = game.Players["YOU'RE NAME"]

local GUI = TargetGUI:Clone()

GUI.Parent = YourName.PlayerGui

xZylter · December 7, 2020, 3:36pm

I suggest you take the time to understand Roblox’s server & client data model. Since it will probably answer most of your questions.

All clients are connected to the server. But the clients are not connected to each other directly. Now due to how GUI is replicated, each player can only see their Gui container, but the server can see every player’s Gui container.

This means for a client to see another player’s Gui the server would need to give them that information through RemoteEvents. Which means it’s something that really could only be done if the developer intended it to be added.

frrazers · December 7, 2020, 3:38pm

That answers my question perfectly! Thank you.

Eestlane771 · December 7, 2020, 10:00pm

The best way to figure that out is to try it and see.
Make a localscript that prints out the contents of every player’s GUI (after waiting for there to be players, of course, it could trigger after you step on a part)
It might be easier yet to run a local server in the Studio, add several players, and look at the other players’ PlayerGUI with the Explorer from one of the players (not the server view)

Without doing any of that, I think other players can see into others’ PlayerGui, except they only see the parts that are managed by the server, that is, put there by server scripts, which are authoritative and replicate to everyone.
If the client changes, moves or creates something in the Gui, then these changes are never actually replicated to the server! In fact, before FilteringEnabled rolled out, I’m fairly sure people would blot out other people’s screens in Insert Wars and Script Builder games by giving them black Guis. (Don’t take my word on this entirely)

but the server can see every player’s Gui container.

It can not see anything created by the client that the client is not allowed to replicate.
However, anything that is replicated to the server is, in turn, replicated to all other players.
FilteringEnabled blocks replication of most things, with a few known and intentional exceptions, such as parts owned by the player. When these are modified, the changes are immediately replicated to the server, and the server in turn replicates to all other players.
(Using a RemoteEvent to tell the server something happened or changed is not replication in this sense.)