Can exploiters interfere and edit a LocalScript, etc

They can view your local scripts, but they cannot edit them. I don’t see how this would work? Many games would break?

Nope, since its local it wouldnt break the changes dont replicated but the exploiters can hook onto metatables and change different things

Say you have a hitbox for the player and you try to prevent exploiters from expanding it, an exploiter can hook onto the metatable locally that is trackign if the hitbox is changed and change the value to like a value that they wont get kicked @rc8s

1 Like

Then that is changing things on the client? How would this be a problem, FE should stop this. The only way I see is a server side executor (FE backdoor executor)

it’s not a problem if you don’t handle anything on the client

1 Like

Fe only stops exploiters trying to change things server sided, Roblox cant track everyone locally that would probably take too much resources and not sure how that would work

I am pretty sure the owner of this post is asking if them ‘changing’ the localscripts will affect anything on the server or do any damage to the game. I am not sure how it is a bad thing if they do is what I am asking.

There is a lot of uncertainty in the answers. So yes, exploiters can edit a LocalScript. How? They can change its constants, its globals, etc. Clients never get the source, only bytecode. The don’t really need the source. That is why exploiters have to go through the process of decompilation so they decompile the bytecode back into a rough equivalent of Luau source. Your issue is trusting the client here, the client should never determine the price of an item. That should be all the server.

2 Likes

I’ve seen how long this discussion has gone but I just fixed around my code and I tried to change up a few values and I made it Un-Exploitable from what I’ve tested. Everything is on the server

Yes never trust the client, ever

1 Like

This is what I do, but enjoy making an anti-exploit server-sided.

I knew that before but I wasn’t sure how extensive these exploiters could actually get.

1 Like

It really depends on the exploiter, I doubt harkinian with his severe damage scripts will join your game. If its some skid I would not worry.

1 Like

The issue is that while no, they cannot edit a local script per say, they can

  • get the contents of that script
  • duplicate that code in a new script that they can edit

I wouldn’t make a local script that has access to private information that isn’t the client’s.

Remember that this only happens in that server/game instance and unless you give them access to, cannot replicate to other clients.

Why store private information in ANY script in the first place? LocalScripts cannot do much but send data to the server with a remote for something that only the client can see.

Edit: Unless its a webhook or a cookie I guess.

The main thing I was asking was if an exploiter could change the quantity of the thing you sell in my game in the script but I changed that…

Let’s say you want to use a webhook to send information from the client to discord. The webhook link needs to be on the server to avoid exploiters getting to it.

Yeah lol, just realized that. I thought it depended on whatever kind of private information you were talking about.

1 Like

Exploiter Could Could Edit An Localscript. That’s Why You Should Secure The Script, Make It Safer. Read This Forum : How To Prevent Exploiters / Cheaters Properly

If only Roblox would send the script instance together with the player… No instance is the same. If you would do :FireServer(script). It would never match with any other script no matter how identical they may be, & you can check this on the server. Sadly an exploiter still has as much control over this from the client as you, so it would make no difference. But they wouldn’t if Roblox sent that information forcefully same way with player. Would make huge benefit to always confirm the script is your original script from the server side. OnServerEvent:Connect(function(plr,source)

API keys, webhooks, etc etc. When I said personal info I didn’t mean personally identifying information which is more for web security. In that case, no, you should not put your home address in a server script.

Edit: don’t know why I replied twice.
I was just looking at my replies, sorry