Consequences of ServerScriptSvc.LoadStringEnabled

When Player Points leaderboards were a thing, iirc a consequence of LoadStringEnabled was that the PointsService was unusable. I’m still confused as to why that service in particular was barred access from. Obviously, I know of the argument of arbitrary code execution, but what’s the danger if it’s only serverside, especially with FE?

1 Like

Inexperienced developers making shortcuts by making a RemoteEvent to submit code from the client to loadstring. This is awful in countless ways and will likely get your game taken down for review, but Roblox probably barred PointsService just so that hackers don’t set themselves to the top of the leaderboard by running code.

You mean like not doing Sanity checks on the server?

There’s nothing Roblox can do to prevent a hacker giving themselves points because an inexperienced developer wrote bad networking code with bad remotes. There is something Roblox can do to prevent hackers from giving themselves points because a developer has LoadStringEnabled and has bad remotes.

If you want to use loadstring without having limitations like what Kampfkarren said I advise you use this.
NEVER LET THE CLIENT EVER TOUCH THIS MODULE OR HAVE ANY ACCESS TO IT ONE TINY BIT
KEEP THIS IN SERVERSCRIPTSERVICE AND SECURED
I cannot stess how many times my friends made dumb remote events and allowed the client to run code like this besides from a script builder this shouldn’t ever happen.

1 Like

Seems to me that the real risks from this kind of thing are people wiping data from DataStores, crashing servers, or displaying unfiltered messages to other clients etc. This is why it seems odd that Points are given this special treatment.

2 Likes