Hello, recently i experienced in my game that exploiters can not only fly or change their values on the client side, but abilities such as change values on the server side. That is, the exploiter had 100 coins and changed the value to 10,000 coins, but this was displayed on the server side and the coins were saved. I also checked my game for backdoors and viruses but didn’t find anything, I always have loadstring disabled. How can this happen and how can this be avoided?
1 Like
No. Exploiters can only directly change things on the client.
However, if something can be sent from the client to the server (ex: RemoteFunction or RemoteEvent), you should do checks on the server to make sure the ask is legitimate. The rule of thumb is to not trust anything sent from the client, verify it on the server.
What likely happened is there’s a RemoteEvent/Function that they spoofed from the client, and there was no server check to ensure it was legit. For instance, a RemoteEvent to buy currency.
1 Like
Do sanity check and validation
Make sure the request is legit when they make it, use some type of validation.
If you have any ‘coin pickups’ or some type of physical money get, there are scripts to easily obtain or get to those places or locations.
(P.S, flying is client side. It involves changing their own character to move how they want.)
I have a gut feeling this is a backdoor, even though you checked.
Do you have any plugins installed? If so, make sure that its the real one, not some malicious copy.
You can also try using the Find And Replace Studio Feature by putting “getfenv” or “require” or others that could possibly a backdoor if you haven’t already.
Enabling loadstring() for scripts inside the ServerScriptService container isn’t a prerequisite for a vulnerable game, that property can be enabled safely (if used correctly).
1 Like
Well when it comes to stuff like getting inf stats or something you have to tell yourself, in my game where do I award the player coins and where is client interaction involved.
This sounds like you maybe don’t handle money changes server-side in the first place. For instance, when a player buys extra coins with robux from your shop, you don’t actually run any checks server-side, and have a Script with a function along the lines of
RemoteEvent.OnServerEvent:Connect(function(player, money)
player.leaderstats.Cash += money
end)
Keep in mind that exploiters can run :FireServer() on ANY remote events in your game. All of them need to have vital security checks on the server, and not client, as otherwise they can simply bypass this.
Probably you right it was a plugin virus or idk, i checked all plugins for the ‘script injection’ permission and i found 2 plugins. 1 was ‘archimedes two’ plugin (i trust him), 2. ‘Weld’ plugin. And somehow it seemed to me a strange name and ‘script injection’ is allowed but rating is medium: 600 likes, 100 dislikes and 1200 favorite
I do all the checks on the server side, but this does not save the game from the problem that is indicated in the post