Destroying objects in the player from the client replicates

Reproduction Steps


left: client, right: server

Start up a test server, disable Players.CharacterAutoLoads, delete any instance inside your player from the client

Expected Behavior
The client deleting instances under the player object should not replicate to the server

Actual Behavior
The client deleting instances under the player replicates to the server, opening the door for various exploits

Issue Area: Engine
Issue Type: Other
Impact: Very High
Frequency: Constantly
Date First Experienced: 2022-01-16 00:01:00 (-05:00)

20 Likes

IIRC that only happens when plr.Character is nil, meaning this vulnerability can’t be abused between respawns, however it can ex. if one is quick enough before their initial spawn.

As for “Date First Experienced” I can confirm it has existed at least since 2020.

Have you confirmed this is the case?

This is very bad because it can lead to a lot of exploits, which aren’t self explanatory at all and are a pain to code with.
I can’t think of a single reason why this should even work.

Thanks for the report! Filed an internal ticket for it.

3 Likes

Hey everyone - this should should be covered by a new feature, and it should no longer be a problem. Thanks again for the report. So sorry it took us so long to close the feedback loop here.

1 Like