so when you fire a remote event the server receives the player and also other information. Can the player data be changed.
Example
(I messed up the code but its fixed now)
--Event inside replicated Storage
game.ReplicatedStorage.Event.OnServerEvent:Connect(function(Player)
print(Player)
end)
Say the hacker’s Player is Bob
Can the Bob fire the server and then the server prints Joe or is this not possible?
you should never believe the information that the client sends, but if you aver an event called on a server script not these impossible (for now and I hope it will remain so)
So, besure to use script or add security if you need to “trust” the client
*Security need to be added in the Script not in a localscript
And this script is a server script ou localscript ? if is a event called by the server, you are safe
No.
The player property from .OnServerEvent will always be the player who sent it.
Well this would not print anything, for one FireServer does not trigger a ClientEvent, however technicalities aside the answer is no.
It is my best understanding that the default player argument is thoroughly encoded and protected - and even if theoretically possible, ROBLOX would be quick to squash any backdoor that allows this to take place seeing-as it fundamentally disrupts the entire purpose of FilteringEnabled’s existence in the first place.
It’d be outlandish to hold a firm belief that the possibility for a system exploit of this magnitude to exist is there, so I’d say don’t entirely count it out but don’t overly prepare for it’s presence either.
I also see @Med367367 making the statement of “never trust the client”, and I feel like that statement is drawn majorly out of proportion - while it is true that you shouldn’t have data/weapons/etc rely on information from the client, to disregard all trust in the client would cause for a major deconstruction of a games features.
To recap: the default player argument of OnServerEvent is not exploitable in this manner.
This would be a 0-day vulnerability, so it should not be an attack model to worry about.
I believe the server is the responsible for monitoring incoming network traffic and setting the player parameter with remote functions/ events.
This is not possible, no exploiters can change who fired. It’s a server-client communication after all. You can always trust the 1st argument of OnServerEvent as the player, any other arguments could be tampered.
oops I just quickly typed the code but you got the idea 
Also the never trust the client, I just usually have to have variables stored by the server and that fixes most things.
in fact, we can believe the client, but we have to be careful because a small error or an addition of selection could allow for example an event that takes damage to kill people in a loop. But yes you are right
Exploiters are unable to use FireClient(), since this is a server-sided method.
However, they can use FireServer().