In our Roblox game Emergency Hamburg, we noticed issues with Exploiters being able to bring their vehicle from any distance to them by teleporting into the driver’s seat, even though our RemoteEvent-based interaction system only allows players to sit in Seats if they are less than 10 studs away.
After some experimentation, we noticed that Clients can call Sit on every Seat, regardless if it’s Disabled or not and regardless of Distance. For enabled seats this makes sense, but for disabled seats, I believe this is a bug, as it’s a massive loophole for exploiters.
If this is actually intentional, there must be a setting that disallows clients from interacting with disabled seats on their own, as under some circumstances, it’s hard to protect your game against such a vulnerability in the Roblox replication system. While we did develop a workaround, for example, to prevent Exploiters from stealing other players’ vehicles using this vulnerability, a workaround to prevent exploiters from bringing their own vehicle could become more complicated, as they are allowed to sit there if initiated by the server.
You could implement a simple server-side anti-cheat that detects incorrect behaviour like the player moving from one place to another when it should have been impossible.
Or don’t rely on roblox seats and instead implement your own system for that.
--!strict
local Plrs = game:GetService("Players")
local Seats = {game.Workspace.Seat1, game.Workspace.Seat2}::{Seat}
for _, seat:Seat in Seats do
-- Fires whenever someone occupies a seat
seat:GetPropertyChangedSignal("Occupant"):Connect(function()
-- Ensures there is an occupant
if seat.Occupant then
-- Checks whether the seat should be being used
if seat.Disabled then
-- Kicks the occupant for using a disabled seat
local plr = Plrs:GetPlayerFromCharacter(seat.Occupant.Parent)
if plr then
plr:Kick("Kick Message Here.")
end
end
end
end)
end
If you’re already managing which seats are disabled at which time & which aren’t properly, this should work for your purposes. Just place it in a server script & find a more intuitive way of storing all your seat objects within the local Seats = {} table.
We do have that, the issue is not about teleporting players.
The issue is that the game grants network ownership to vehicles if the player gets seated in the driver’s seat (Like many games do). When the player is already in the driver’s seat, we are unable to verify if they got there legitimately (via RemoteEvent) or using an Exploit and Sit() on the client.
Of course, creating our own system would fix this, I am aware of this, but I think a bug report is a more efficient solution. I know multiple games where this is a vulnerability and I think a platform-wide fix would be helpful.
This has been an issue for a long time and i believe its a feature. You can counter this by kicking or killing the player ( i would recommend to kill instead of a direct kick to prevent false interaction on laggy devices.)
I can confirm that this is unfortunately just the way it is and has been for some time. We can look into fixing it but it will be difficult since many experiences may be unintentionally relying on the current behavior. Your best option for right now (as others have suggested) is just to validate seating on the server, or use a custom seat solution.
Well, I’ll try to create a workaround then - Thanks for the info that it’s known to Roblox!
However, I suggest documenting this in the Roblox Documentation for Seats and VehicleSeats so developers know they have to protect themselves against exploiters in these cases.