Overview
Originally discovered in 2021 by raphtalia, it uses the os.clock() function which is intended to be used for benchmarking code in Lua to generate a unique identifier for a CPU. Even while being heavily sandboxed from the standard Lua os library by Roblox Studio, is able to be used for this method. os.clock() cannot be changed by changing your system time.

image1213×182 28.4 KB

Potential
Using this vulnerability we can,

• Allow players to only make a certain amount of alts
• Fingerprint Ban players Device
• Log Fingerprint and Alts in Discord

Example Script
Add Remote to ReplicatedStorage, the FPModule to ServerScriptService, and the LocalScript to StarterPlayerStricts

Config:

local config = {
	["KICK_IF_FINGERPRINTED"] 		= 	true,
	["LOG_IN_DISCORD"]		= 	false,
	["DISCORD_WEBHOOK"] 	= 	"",
	["BAN_MESSAGE"] 		=	"IMMA FIRIN MAH' LAZAR",
}

return config

Example Script:

print(module.GetFingerPrint(player)) -- Returns Fingerprint
module.FingerPrintCheck(player) -- Checks if Fingerprinted and adds to it if its a new account 
print(module.GetAltAccounts(player)) -- Gets all Alt Accounts
module.AddPlayer(player) -- Adds player to fingerprint
module.RemovePlayer(player) -- Removes player from fingerprint
module.AddFingerprint(fingerprint) -- Adds a fingerprint to database with no player list
module.RemoveFingerPrint(fingerprint) -- Removes fingerprint

if table.getn(module.GetAltAccounts(plr)) > 5 then -- Example script to check amount of alts
	plr:Kick("Too Many Alts")
end

Cons
Anything sent from the client can be modified by exploiters, but as of 2024, exploiters have been literally wiped from the face of Roblox and this method would work against exploiters using external hacks like AI aimbot. The only big con is that restarting the PC resets the CPU time used by Lua.

Legality / Potential for Abuse
Roblox’s Terms of Use only allows for a developer to use data to protect their game and not to collect personally identifiable information (IE. fingerprints, biometric information, etc). As for potential for abuse, all information gathered is considered public information.

Conclusion
Sorry for some sloppy code or writing. I am not looking for hate but rather feedback. I believe that using os.clock() is just as similar to using things like a player’s UserId. Even though bypassing this method is as simple as just restarting your pc, would restarting your entire PC in addition to getting another alt account with an old account age be convenient for the person banned? No, that’s the entire point. It’s a tentative method to inconvenience the person as people.

Module:
FingerprintModule.rbxm (3.5 KB)

This is a really nice application of raphtalia’s original source, thanks for the post!
GitHub - raphtalia/RbxFingerprint: Demonstration of a privacy vulnerability in Roblox – Source for anybody wondering

It wouldn’t be convenient but it also wouldn’t be difficult given the fact that the exploiter likely will still spend more time actively exploiting your experience over the amount of time spent restarting and if using a bunch of old account-age accounts isn’t enough to discourage the exploiter, they probably wouldn’t mind restarting their device too.

Also, I know this is insanely unlikely but if you somehow have a miracle and a user does have the same os.clock time as an exploiter; banning the user probably isn’t a good idea as if a user gets insanely unlucky, they could end up losing everything in the experience that they worked so hard for, and while that is so incredibly rare, the impact of that case could be heartbreaking to the player.

Just a reminder that exploit clients do still exist albeit in different forms than previously.

Would still be annoying in combination with them having to restart their executor.

Basically 0% chance but if there is a chance it could happen, changing the config could change it.

	["KICK_IF_FINGERPRINTED"] 		= 	false,

I cant get the example script to work

(post deleted by author)

Without access to IP or device data, you can still implement an effective point-based system for detecting alt accounts by focusing on other observable patterns and behaviors within the Roblox environment. Here’s how you can approach it:

Point System Framework for Alt Detection

1. Assign Points to Suspicious Activities: Assign points based on in-game behaviors, account metadata, and interaction patterns.
2. Define Thresholds: Establish thresholds for different levels of suspicion. Accounts exceeding these thresholds can be flagged for further review.

Factors to Integrate:

1. Account Creation and Age:

• Clustered Creation Dates: 5 points for accounts created within a short time frame of each other.
• Short Account Age: 5 points if the account is new but shows advanced progression or high activity levels.

2. Behavioral Patterns:

• Frequent Logins at Similar Times (Using os.time): 5 points for frequent logins within a short period of another account’s login.
• Similar Play Styles: 5 points for similar gameplay actions, such as identical movements or task completions.
• Unusual Activity Patterns: 5 points for erratic play patterns that differ from typical user behavior.

3. Economic Transactions:

• Frequent Trades: 10 points for accounts engaging in frequent trades with each other.
• Large Transactions: 15 points for significant in-game currency transfers between accounts.

4. Interaction Patterns:

• Frequent Communication: 5 points for frequent messaging or interactions between accounts.
• Coordinated Actions: 10 points for accounts performing coordinated actions in-game.

???

!•Newsflash•!: He is using os.clock!

Read the post a bit more before replying.

This a is pretty neat system! Thanks for sharing!

First of all, post is talking about os.clock()
Second of all, why does this look ai generated

Probably because it is AI generated, someone showed a screenshot of it

Why is it so easy to distinguish ai from humans im genuinely surprised LOL

So AI has its own format on how it writes things AKA extremely professional using words that we don’t normally use.

The format starts with like a little starter and then it lists to like

1
2
3
4

And then right after that it would say something similar to “In conclusion”

That’s why it’s obvious to see if it’s AI generated or not.

This resource is drawing a fine line between violating the TOS and being completely fine.

Generally, Roblox does NOT allow developers to track players across different accounts.

Screenshot 2024-07-06 at 2.03.00 PM1156×582 157 KB

• Building profiles: Creators cannot use User PII to create any user profiles, segments, or similar records on individuals, devices, or browsers, neither on the Creator’s services nor on third-party platforms.
• Associating behavior: Creators cannot associate the behavior of any individual device or browser with any user profile, segment, or similar record, nor can they supplement any such record with data from Users.

As for the claim that none of the info is PII ^{(Personal Identifiable Information)} , that may be correct, but the second you start associating those unique identifiers with specific accounts, and then across accounts to specific users, then it does become PII.

How to get around these restrictions:

If you still want to use your own system of detecting and banning alt accounts you can still do so, as long as you are sure to do the following:

1. Do NOT associate the hardware fingerprint with individual accounts.
2. ONLY store the hardware fingerpring as a hash. Dont store individual components that cound be used to re-engineer the hash, i.e. os.clock() value, the time it was taken, etc.

Now, when you want to ban an alt, you check it’s fingerprint, if it matches a previously banned fingerprint, then ban it. Again, it cant be stressed enough, never in this process should you associate the hardware fingerprint with a user’s account.

Considerations:

I am not a legal expert, when it comes to interpreting the TOS and determining if a system you choose to use in your game may violate said terms, you should always consult a legal expert, or ask someone at Roblox.

On that same basis, Roblox may still choose to moderate you or your game if they cant determine if you are adequitely handing the data. i.e. if they cant determnine if you are actually seperating the PII (hardware fingerprint) from the user or not, they may, and should, exercise moderation.

Lastly, to reduce false positives, you should incorperate other data into your fingerprint. You can use the screen size of the device, the device input type, account age, region, timezone, etc.

That has got to be the best comment i’ve seen in this thread.

I forgot this thread existed but this thread is useless now thanks to :BanAsync(player:Player) and you can get their alts by banning them then unbanning them and seeing what their alts are.

I have tested both and the BanAPI’s alt detection system is completely awful in comparison, especially for alt-hoppers. I did a comparison with a friend where we tested 5 fresh alts in a baseplate game. All 5 alts made it through Roblox’s BanAPI. Zero made it through this script.

The best solution is to just use both. BanAPI seems to require some serious usage on the alts before they’re picked up which will fail to catch alt-hoppers in majority of cases.

It probably doesn’t use Hyperion’s alt detection methods but instead uses like a fingerprint saved in some file or whatever which is understandable since someone could find out a way to bypass Hyperion’s alt detection by banning and unbanning a person and finding out what triggers it.

It’s important to remember that everyone’s creative process is unique, and leveraging various tools, including AI, is a legitimate and innovative approach to problem-solving and development. By inserting themselves into the conversation and criticizing the use of AI-generated content, individuals are overstepping boundaries and failing to respect the diversity of methods that others may employ. This kind of behavior can stifle creativity and discourage people from exploring new and effective ways to achieve their goals. Instead, fostering a supportive and open-minded community where different approaches are respected and valued would be far more beneficial for everyone involved. I highly recommend you cease from these practices, as it really doesn’t hurt anyone else other than yourself.

I appreciate your perspective, but I assure you, my writing is my own. It’s understandable how clarity and structure might stand out, especially online. However, attributing it to AI seems to overlook the effort many put into expressing themselves clearly. If anything, taking it as AI’s work is inadvertently flattering! Nonetheless, I’m just someone who values good communication.

You can reference previous posts.

Dynamic A* Algorithm Visualization - Resources / Community Resources - Developer Forum | Roblox