Clients Able to Fake AccountAge and MembershipType on the Server

Currently, clients have the authority to state their AccountAge and MembershipType to the server, as this is done through JoinData.

All they have to do, really, is edit whatever is being sent thru and fake it that way.

This has been causing major issues in my game, as they’ve been faking their Premium subscription: getting Premium benefits without actually owning Premium (their profiles state they don’t have Premium, yet it shows it as though they do in-game); and by faking their AccountAge, getting past my AccountAge filter to instantly terrorize my game with new accounts made zero days ago.

This is a critical engine bug that must be addressed immediately, especially since many game developers are adding in Premium benefits that rely on the Player.MembershipType property and AccountAge filters that rely on the Player.AccountAge property (both of which this exploit/bug touch on).

It would be great if a Roblox engineer could reaffirm the existence of this exploit/bug and patch it as soon as possible.

You could do a quick workaround using a proxy server and some ROBLOX APIs like:

https://users.roblox.com/v1/users/421194271 -> This one to check join date

https://www.roblox.com/profile?userid=1 -> This one to check membership status

However, I agree, this bug is dangerous.

Seems weird to me that it’s a push from the client for that sort of information instead of a API to check the actual website agasint their user information

Indeed, it is weird; but this bug is really, really old, so one can’t really blame them for letting this go under their radar.

Right now, I recommend everyone take Inctus’s advice, whilst we wait for an official patch.

It is a must-do for anyone who is planning on adding Premium benefits or anyone who already has Premium benefits added to their own game, if you don’t wanna see skids going around causing chaos in your own game(s).

This is still a major issue. It’s been twelve days since I last talked about this, I still haven’t gotten a reply from an engineer on this thread, and this issue is still rampant.

This exploit still exists, and its exploitation is causing major issues in my game and many others. It would be great if more people knew about this and put in proper countermeasures in their games.

This is a serious issue that has still not been addressed; and I hope that by bumping this, that it may get the attention it so needs.

Does anyone know if this bug/hack/glitch/whatever is just an in-game thing, or does it glitch Roblox into thinking that the user is an actual premium user further than that?

What I mean by that is, I was reading through this and realised if it made Roblox think that a user was an actual premium user, and handed out premium payouts because of it, this could potentially be abused for free robux. There’s no way to test this theory out without someone using exploits as far as I know.

(I’m not 100% certain how roblox calculates whether to have premium payouts so I could be completely wrong here and worrying about something that isn’t happening)

@cpguy5089 It’s specifically for verification ingame. The server requests certain information from the client, and if that information states they are certain things, the game checking for those certain things will believe it’s true.

I don’t know if this applies to groups or admin command plugins checking for specific ranks in groups, but if it does, several groups might find themselves repeatedly terrorized over the next few weeks until this is fixed.

I’m actually pretty sure Roblox is aware of this, but they marked a HackerOne report as Informative rather than it being a serious bug.

Yup, all I’ve seen them spoof are both Player.AccountAge and Player.MembershipType.

It’s been a major issue for many games, as they’ve been abusing this bug in games that give out Premium benefits, and also bypassing AccountAge checks.

This exploit must be patched promptly. This is an unnecessary trust on the client.

https://developer.roblox.com/en-us/resources/release-note/Release-Notes-for-440

“Certain properties of the player that were spoofable are no longer spoofable.”

Great news, everyone! This is insanely inane vulnerability is getting patched. We can just hope that they get it done sooner. This vulnerability is absolutely detrimental to many games, including my own.

It allowed players to gain Premium benefits without actually contributing to games, and allowed them to wreak havoc, instantly, with no rate-limit (Account Age filters).

This vulnerability has caused many developers to lose out on potential income and, in some cases, even destroyed their games’ economies. All this vulnerability has caused for us, developers, was a hardship. It ruined us, developers’ lives, and now, I hope, the Roblox engineers can ruin this vulnerability’s life; terminate it, and patch it for good.

@ConvexHero God bless you for working on patching this incredibly dangerous vulnerability. All I have to say is thank you, and I hope that you patch this as soon as possible. I still can’t believe how this got under all y’all’s radar. You are saving our livelihoods by patching this economy-destroying, game-breaking vulnerability.

There is a multi-part rollout for this change. The membership/age part should be patched at the moment. DisplayName et al will be fixed soon hopefully. The code has been written, there is just the testing and release process.
–edit: this was also a team effort as multiple systems needed to be updated.

Hey ConvexHero,

Great to hear that this exploit has been acknowledged. If this specific thing hasn’t been reported already, I would like to mention that the player’s actual UserName is also spoofable as of right now.

Terminated users, users that don’t exist, and offline users were joining my game earlier. Their userid’s were the exploiter userids, however any attempt to make a query to the website doesn’t work properly;

• :GetUserIdFromNameAsync() attempted with the spoofed username will return the exploiters userid, regardless of the user exists or not.
• :GetNameFromUserIdAsync() attempted with the exploiters userid will return the spoofed username.

Note, these abnormalities only occur when the exploiter is in the server with a spoofed name. This makes detecting it and remedying it impossible from a developers standpoint.

Hopefully this is fixed soon and I appreciate your efforts!

I had the same problem with using those functions, I assume that it’s because they will first check if that username/userid is already in the server, then if it is then return the data already in the server, or something similar.
I made a temporary patch for it in a game I develop for, which seems to be working, using UserService’s GetUserInfosByUserIdsAsync, which appears to always do a web request instead of whatever GetNameByUserIdAsync does when a player is already in the server:

(Edited to cache so that it doesn’t have to do a web request every time a player rejoins)

local userService = game:GetService("UserService")
local cache = {}


game.Players.PlayerAdded:Connect(function(player)
	
	if cache[player.UserId] == nil then
		local success,err = pcall(function()
			local userInfo = userService:GetUserInfosByUserIdsAsync({player.UserId})
			
			for i,user in pairs(userInfo) do
				if user.Id == player.UserId then
					cache[player.UserId] = user
					if player.Name ~= user.Username then
						player:Kick("False name, real name: "..user.Username)
						warn("Kicked "..player.Name.." for having false name, real name: "..user.Username)
					end
					return
				end
			end
		end)
		
		if not success then
			print("Failed to check validity of player's name, reason: "..err)
		end
	else
		local realName = cache[player.UserId].Username
		if player.Name ~= realName then
			player:Kick("False name, real name: "..realName)
			warn("Kicked "..player.Name.." for having false name, real name: "..realName)
		end
	end
end)

Edit: (Note, this will kick users who have joined a server, changed their username and then rejoined the server, because of the way I cache it. It may be best to remove the cache part if you plan to use this long term for whatever reason.)

Very similar to how DisplayName method works.

Happening in my game too, they were able to spoof their username to mine and gain my powers, including admin commands. Caused pretty heavy damage until we found a patch. All games that use username instead of ID to give perks can be affected heavily.

No longer works. (257 Connection error)

Two fflags have been pushed out that appear to be relating to verifying the signature for the data.