Developers are not equipped to deal with exploiters

hashes can be decrypted.

I would recommend you see this video as it gives a good explanation:

I know what hashes are, but thanks for the sentiment. However you’re always gonna find people who are going to disagree with that, regardless of the truthness of that fact. (and that’s ignoring rainbow tables or any method that could reverse it)
Besides, my secondary point (which I haven’t stated explicitly I agree) is: why even bother exposing the hash, or any type of identifier to the experience developer if it can be made simpler via an API method?

I would just like to add onto this that there are many free exploits on the market. The issue has gotten so bad that any 9 year old with a computer can go onto the website for a free one, download it, search on YouTube “best (insert game name here) script” and then join the game and begin wrecking servers. It’s no longer only experienced people with knowledge of how to buy stuff using crypto, how to script, and how the Roblox client works, it’s anyone who can visit a website, click the big green “download” button, and search online for a simple script.

Roblox needs to take action against the exploit producers. 99% of exploiters are “script kiddies”, people who have no knowledge of programming and just buy injectors and copy and paste scripts. If Roblox takes out the major producers such as Synapse X, KRNL, etc. they have basically fixed the problem.

Exploit detection a non-trivial topic where a ton of work goes on the backend, but I think Roblox can improve but also so can Roblox devs. The problem should be reasonable for devs to solve, and I’d like to focus on the Roblox side of this battle.

There are many exploits which I would identify as non-trivial to solve as a developer, I don’t believe I should be required to recreate the humanoid because these character exploits exist. Among all of the numerous examples mentioned throughout.

In reality, this sort of thing can totally be a two way street where big devs can provide data to Roblox about exploiting players and Roblox can provide data to game devs about how confident they are in a way which reduces risk of hiding from Roblox.

Tor exit nodes, VPN IPs, hosting IPs, proxy IPs, are all readily known at this stage. I implore you find me an IP that a site like https://ipinfo.io detects incorrectly. Unless you’re connecting from a residential connection, it’s going to be extremely easy to identify these users and increase the risk identified.

We know from risk management that users who use Roblox over Tor are more likely than not to be attempting to hide their actions so we should take appropriate action to flag it.

Before looking into HWID and IP bans, I think we should (as OP suggests) look at how Roblox devs “ban” people. Because we don’t actually ban, we prevent from using our experiences. It seems like a really minor difference but I think it’s an important difference, all developers have to develop systems with emulate banning without actually communicating to Roblox that we do not want this user in our experience ever again.

I think introducing the ability to actually ban someone and that give reasonable consequences such as being unable to dislike the game, be able to press the play button, and give Roblox idea of the kind of user they should investigate.

Being able to deal with alt accounts is also very important, if someone is using the same network MAC address, browser fingerprint, HWID, IP, etc. of another user I think it’s a pretty good indicator that it might be an alt account and as developers we should be able to flag that so our systems can adjust for it, just as if Roblox were to try to prevent people bypassing their bans. Being able to say that Roblox has a 92% confidence rating that userID XXXXXX is linked to userID XXXXXX or that userID XXXXXX is likely a prior offender.

The way Roblox can handle custom moderation is critical, through policy and Implementation. Devs should be developing secure methods of communication that we expected, such as validating input but do we really need to implement debounce for every remote event input? Shouldn’t this be built in?

Ultimately Roblox needs to be more upfront with the tooling required to help developers deal with these exploiters, and Roblox itself to deal with these exploiters.

Roblox should patch these major exploits or give tooling to developers to take over.
Offering bans and being able to more easily detect alt and likely accounts would be greatly helpful.

(Just to those for who it concerns) Injection Bans & HWID/MAC/IP Bans are already a thing, and Roblox already even moves around memory on the client every other Wednesday/Thursday to slow down exploits. It’s just that exploit developers always update their exploits to counter these patches.

This is what I think needs to be done by Roblox to help aid us against exploiters:

Ban API - game.Players.HackerDude33:Ban(Enum.PlayerBan.Permament) or game:GetService("BanService"):BanUserId(1234567890)

Physics Authority - Add a property for workspace or WorldModels in general for AutomaticNetworkOwnership (Whether parts respect SimulationRadius or not)

Replication Control - Like Unreal’s “Is Editor Only Actor” property, add a property to decide whether instances should be seen by clients or not. Updates on property change

Along with patching the numerous glitches I’ve found that can/are utilized by exploiters, but I can’t report because of NO POST APPROVAL

Tool Grip Replication - Locally parenting tools into a player instance, changing the ToolGrip CFrame, and parenting it back into the character updates the ToolGrip CFrame Globally

Velocity NetworkOwnership - Setting character parts’ velocity to something high gives players full physics control over them

TouchInterest Bugs - Most exploits with giant Hats and Layered Clothing are caused by weird glitches with firing TouchInterests

Exploiting has fostered a relatively dangerous and unhealthy mindset for me, my communities, my colleagues and even my fellow Roblox developers. It, to me, is the number one issue that’s significantly roadblocked anything I want to do on this platform be it enjoying the experiences others have put out or even creating them.

Technical discussion is a whole different can of worms that’s caused me a great deal of trouble because on one side of the coin you have the people exploiting your experiences and then on the other side of the coin it seems like some ego competition about who can do anticheat better and who deserves access to this and that, and that hurts. I can’t even trust my own fellow developers to provide insightful information on tackling anticheat without somehow feeling the need to honk their own horns or berate me for the best effort I put in. I get enough trouble from my communities blaming it on me because cheating is so deeply embedded into Roblox culture, I don’t need to get any more from people I’d like to cooperate with on this issue.

I really, really would appreciate some way to proactively remove bad faith actors from my experience or prevent them from playing it in the first place, as in just getting rid of that Play button entirely. My solutions are not ever enough and I don’t have the knowledge to implement technical solutions, customer support lines or any external tooling that would contribute towards the efforts against cheaters, nor do I have the resources or trust to hire someone proficient in that to help. I hate that the majority of my development time is wasted thinking about cheats or having cheats be the determining factor of whether I want to pursue a feature or not in the first place.

Cheating is an issue that I wish Roblox approached with more intensity not just with behind-the-curtain solutions but with tools that we as developers can use to assist us with moderation, support and even in the technical area. Bad faith actors need to be held more deeply accountable for violating Roblox’s standing rules and legal agreements for platform use; not the developer (yes, we as the developer can be held accountable and be punished for bad faith actors misusing systems en masse, which is inane).

I don’t know how relevant this is to moderation or support tooling so I apologise if it isn’t, but lately I’ve even had to ban certain clothing assets from my experiences because of an incredible uptick in NSFW content being uploaded. This isn’t an experience-specific exploit but rather one of the platform. I can’t even begin to count the number of times I’ve had to report pornographic imagery appearing in my experiences that support the user’s Roblox avatar (which is essentially all of them) or avoid allowing asset id submissions for decals because of this.

It’s sickening how much time I spend time letting cheaters live in my head and how it holds me back from doing anything unless I just stop caring about exploiters and focus on content cadence instead. My current major experience does not handle exploiting besides basic server-client validation and reports about exploiters interfering with others’ gameplay. We just don’t have the patience to deal with it and spend all our time doing anticheat or support services. We don’t have the knowhow.

Roblox would greatly alleviate the burdens for me by providing a foundation to work from. Basic moderation and support tooling would give me the groundwork necessary and then I can integrate that with my own systems to the best of my ability. Right now, I’m expected to do everything myself and risk punishment for doing it wrongly or not doing it at all, and as I’ve repeated a number of times now I don’t have the knowledge to create anything anticheat, moderation or support wise whatsoever. I refuse to use third party tooling because as the thread mentions, it would introduce incompatibilities with my existing systems and I don’t have established trust with the vendor to rely on their systems. If those go down, so do my efforts.

EDIT: Removed some strong language now that this thread’s been moved to a public category. Sorry if you saw that content, you weren’t supposed to!

Hopping on to share some statistics, the number of bans combined from both Witching Hour and Site 76 (mostly Witching Hour) is well over 25,000 users in the span of four years, all of which being manual, and most of which are just all the same exploits. (Teleporting, spinning to knock players around, spawning in local parts to abuse systems, etc)

It’s absolutely insane that four years later, some of these exploits are still a thing, despite some of the changes we’ve made in an attempt to combat them, they’re always able to one-up us and find a way around it.

This has been unfortunately a lasting issue that has been endured quiet I while, through personal experiences and via colleagues.

I do have to mention that a majority of exploits that I see a trend of, originate from the lack of security integrated into developer produced code. It takes proper training/education to learn how to secure remotes, and overall vulnerabilities in a game… just as any other concept one is wanting to grasp. I found this forum helpful in understanding the basic vulnerabilities that an exploiter may… exploit.

Then again, I do completely understand what this post is grasping at. Exploiters are an inevitable aspect to consider while creating a game, which it shouldn’t be, to the extent it currently is at least. I do hope that there will be some solution to this consistent conflict in the near future, but in the meantime, I am going to continue my research on how to prevent exploiters in my games on a personal basis!

We should be allowed to vent our frustrations with exploit use on the platform, without insistently deriving conclusions that Roblox does nothing about the issue at hand. As developers, we’re not the only ones fighting an ongoing battle to make our experiences exploit-preventative; engineers work behind the scenes to combat the issue and so do moderation teams.

Support tooling and moderation systems are needed, but arduously hard to implement. There are some things we should do ourselves, and somethings that Roblox should provide. Neither party should do all.

I’m sure developers feel incentivised to dedicate their own moderation teams out of convenience and to tackle customer service in their own hands. Given, how a lot of developers paint moderation and support as ‘automated’ and ‘crap’, it wouldn’t be a surprise that this is the case.

I’m in favour of Roblox taking on some of the responsibilities that OP has outlined. I want to be able to reach out to dedicated support networks when I need to. I want them to bridge the ‘gap’, so I can understand how to approach and tackle the large-scale issue with exploits.

And I certainly want to lift some of the burden off my shoulders like dedicating time and effort to customer service and moderation, to be shared across the platform, so it doesn’t feel like I’m constantly weighted down with the obligation to address them.

But the culture of developers villainising Roblox needs to stop. It does not do us any good. We are just shooting ourselves in the foot and it will come back to taunt us when we legitimately need to address such problems.

I’ll share some statistics as well.

In the last 2 years we have banned about 90,000 accounts from our games.
50,000 of them have been automatic detections.
25,000 of them have been from webscraping exploiter communities
15,000 (Remaining) have been manual bans.

We have a great mod team, but really do wish Roblox could assist in this.

While this solution SORT OF helps cut down on exploiters, it mostly is just an awesome way to miss out on tons of players. People are joining ROBLOX constantly, and if they try to play your game for the first time and get a “Sorry, your account is new!” message, they’ll probably never play your game again.

It actually doesn’t do much since most exploiters have access to a service that is basically a giant list of botted Roblox accounts made from 2017 and onward. There are millions of these botted accounts made for exploiting. They always have generic names too, like JaneDoe1, JaneDoe2, etc.

Another frustration I have with back doors is coming across models downloads by thousands of people with a script that requires another module that requires an obfuscated script leading to a back door. I’ve reported these models and weeks later they’re still there and the creators never get banned. One particular model was an R15 dummy for scaling that had a SS back door I was able to figure out by looking at the HTTP logs in the dev console leading to a discord group and YouTube videos demonstrating the exploit on some random game who’s creator probably doesn’t know about. The script also consisted blatant swears which should automatically trio some sort of moderator action.

Then I’m also hearing games getting banned and accounts terminated from these back doors that devs are unaware of and get unfairly punished for it. It feels like exploiters hardly ever get punished for their actions, meanwhile the victims take all of the downfall.

I’ve been having an exploiter problem for the last 4 months at this point. The main problem is how these exploiters are almost unbeatable, we ban them and they rejoin with one of their 100 alts, we patch their scripts and they start using generic crash scripts and at this point I don’t know what to do. In specific hours especially, these kids keep raiding our game without any real motivation - that’s their problem of course. However our player count really decreases at these times and we keep getting complaints. We cannot do anything, we don’t have anything to even monitor a server crash and considering how easy accessing exploits is, this problem is a crazy issue for small games. Roblox has the goal of giving even small studios a chance in the huge market and I’m sure that this issue holds a lot of potentially good games back from being popular. I don’t have a lot of time with education and all other life stuff and when I have time I usually need to deal with these kinds of problems which I shouldn’t need to deal with. There are a lot of known OP crash scripts already and people tell that these got reported to staff months ago however I can see them still being used frequently today.

These small exploiter groups have nothing to lose, they are not possible to fight with. For bigger games, people usually just join other servers however if you consider the games which doesn’t get as many new daily players as these popular games, the damage is huge. A lot of things were suggested with previous posts like HWID bans so I’m not going to mention them again, I’m sure the staff can find good solutions to this problem if they want to fix it.

Only thing I’ll suggest is an exploit report database, not like Hackerone but a database which will suggest popular exploits to get monitored. Hackerone mostly works with those exploits with easily pinpointed reasons however we also need a platform where we can submit the exploits we are facing with and systems can collect info about these exploits so they can easily get fixed.

It’s not even just the fact that people can exploit, its how they can exploit. Tools like synapse give people the power to entirely crumple any games workflow. You can access the game metatable to alter remote events and cheat in unimaginable ways. You can make functions like :Kick() and :Destroy() return nil so you physically cannot remove them from your game. Even with the saying “Don’t trust the client” it’s genuinely impossible to make a game that’s unexploitable, even if the games entirely server sided. It holds back a lot of developer’s true potentials imo and makes it hard to be imaginative with the games we wanna make.

Just a bit of a nitpick here, unless you specifically aren’t following “Don’t trust the client”, the metatable hook won’t affect you. Exploiters being able to prevent the server from calling :Kick() is completely false, as :Kick() is on their Player object, which isn’t a BasePart (something with simulated physics), therefore the client has no control over it. Cheaters even acknowledge there’s no way to prevent a server-side :Kick() call.

It’s an oversight in the midst of my rant, I know they can’t make server scripts return nil but there’s no real way to accurately detect cheats on the server. WalkSpeed can be changed on the client and doesn’t inherently replicate to the server besides their movement speed which is unreliable due to flings. I’ve played games where you get flung and banned from a game because of roblox issues. Which imo is a huge blunder on the developer’s end but theres not much they can really do.

Very discouraging to make extremely revolutionary roblox games. Like if you were making a VR baseball game the server isn’t equipped to handle heavily accurate physics on account of being unable to access renderstepped. So you’d have to rely on the client for accurate bat collisions.

You are right, developers do not have the necessary elements to fight exploiters, the only tool would be programming.

A large part of the developer community has to deal with these exploiters, Roblox must implement something to detect injections from other external programs.

They technically do already have injector detection within their software (as shown somewhere in the thread). Only issue is that people injecting allowed client injectors like the FPS unlocker, would also get flagged and potentially banned. This could easily be solved with Roblox just unlocking our FPS but that’s another can of worms that can be open on another occasion.

I didn’t know that, since roblox systems are easy to circumvent, I witness several exploiters deleting the whole map using scripts probably from the server as it would affect the other clients.