Developers are not equipped to deal with exploiters

Very well said. Exploiting is a major issue on the platform that Roblox has never really directly addressed. There needs to be more for developers to utilize in this fight and more on Roblox’s part to prevent this.

It’s remarkable to me that Roblox has yet to directly address issues like this and the current ddosing issues.

I partly understand what you’re saying, but what has the Roblox legal team done? They’ve taken legitimate legal action once(at least what can be publicly seen) based on unsubstantiated false claims.
You probably know what I’m referring to.

Roblox has done this in the past, but the accuracy was questionable. Players that were using basic things like FPS unlockers were also affected by the ban waves.

I still believe that Roblox needs to take a more broad approach and set a precedent for others by taking legal action against the top few exploit developers to deter others from venturing down the path of making exploits like script injectors.
I’m referring to those that make full-on script injectors and capitalize on making script injectors for Roblox.

If you wanna help prevent most basic alts, you can require the player to own the Verified Bonified Hat which you can only get by verifying your email.

16 Likes

A ban function would be a great start. It would be awesome if you could do something like
Ban(playerID,duration)
to completely restrict a player’s access to the game. This could be managed by a panel on the Roblox website that shows all bans, their duration, and maybe Roblox could do something such as blocking the players other associated accounts(on the same email) from accessing the game via the website.

Maybe even add a permission where you can allow other players to manage bans on your game from the website, an audit log, and maybe even allow reasons to be attached. idk, just an idea.

23 Likes

Currently, the game that I work full-time for has been incredibly inactive on our side- the owner lacks the ability to devote time to development due to real-world circumstances, so I have, essentially, been placed in charge of the discord server and development in general for the game. In the exploit reports channel, I see so many instances of obvious exploiting, that we cannot act on, given that we haven’t been able to implement a proper banning system that doesn’t cause huge amounts of memory leaks (again, real-world circumstances.)

Therefore, as a developer, I get to watch my game be used as a playground for 13 year olds with exploits they download from the internet (searching the name of the game almost immediately shows a github link for exploit scripts, although I haven’t been able to verify that it isn’t just some virus.) In any case, however, it is appalling to see that roblox takes no action against offsite distribution of exploits, offers no integrated banning system, no way of IP banning, no integrated anticheat (i understand that anticheat is difficult to develop, and that it’s an expectation for developers to make their own, but it’s ridiculous that antispeed or antifly protection is not an integrated, toggleable feature in studio) and provides very little help in the way of moderating accounts which are reported for exploiting.

It’s been a problem for years on this platform, and it’s time that roblox finally takes some action.

(Apologies for the long and wordy post, i’m using my phone to type this)

17 Likes

The fact that almost every casual hangout game with a decent userbase has to disable player collisions due to fling hacking is a bleak sign that things need to change. Fling hacking involves a bad actor setting their velocity to extremely high numbers causing everybody they come in contact with to be flung in a random direction. It’s one of the most common exploits, and one of the easiest to detect. It would be great if Roblox could add some sort of server-side default basic anti-cheat and connect it with an internal system for tracking IP and HWID (as those like Kampfkarren have suggested).

This isn’t just a problem in hangout games, it extends to every single place that isn’t concerned enough to patch it, or doesn’t get popular enough to run into that problem. I was involved with a few parody games that weren’t even that popular (maybe max 50 concurrent players?) and all of them had problems with exploiters.

The only solution for proactively banning exploiters before they enter your game is to install some shared ban system managed by a usually untrusted third party who can abuse that power very easily, and can be prone to mistakes. Said shared ban systems are also IIRC against the rules, but I can’t find that section in the ToS.

(Also, I want to be able to stand on my friends’ heads again, which is impossible with collision disabling scripts. It’s my right as a Robloxian.)

26 Likes

I’ve found this to be specially true for games that are made by small teams of 1-5 people.

These teams may only have 1-2 programmers that can only do so much at once, and so they opt for trying to make the current experience enjoyable but end up having their efforts dwarfed by the exploiting community in less than a day.

11 Likes

The details matter here so,

Developers need more control over their games.

I want to specifically remark ESP is a very rampant, near unpatchable problem in 99% of games. I understand StreamingEnabled eventually wishes to fix the issue.

The reality is that a majority of games do not use this feature, or can even use it given how it is put together. But we could at the very minimium be given a middleground in-between the server, and the client, to control replication. Specifically make it so we can hide certain objects (Player Characters primarily) from the client, potentially with a FilteringEnabled/Streaming service. This would allow us to cut off certain instances, like player models, until we want to show them to the client. Because as it stands, the client has all the power to see players across the map regardless of any defensive coding you put in to the client or server. This is particularly annoying in open world games, and have given legitimate players paranoia to even play with the threat of having their hard work taken away from them.

19 Likes

If an item is highly considered special,
save the position of the item on the server,
and only announce to the client once they get close enough that they should visibly see that item.

2 Likes

Was mainly talking about player characters, but yeah I do this.

3 Likes

I think we can agree, when talking about combatig exploiters, that making a server-side detection system that is able to detect client-side modifications (such as ESPs) is not possible. There are ways to detect speeding, flying, etc., but these are character-related behaviors.

Basically, at this time, the only way you can keep exploiters away at all is detect them on injection. I don’t know much about how that works, but I know that there is a way to detect when some exploits execute scripts or inject.

4 Likes

… too bad! Roblox likes automating everything possible and giving you 0 control everytime because it’s part of their ““vision””
Lighting looks horrendous because you have barely any control of how and what the lighting system
will do exactly?

Cheaters abuse the fact that they have full control over what their character will do?
Can’t make layered clothing right because the documentation sucks?

Cry about it, it is part of our schizophrenic ““vision””

15 Likes

i still don’t understand why roblox can’t add a kernel level anticheat

and before you say roblox could be malicious with it: roblox is a huge company, and is over the entire planet now, do you really think they would just to lose all their remaining reputation?

9 Likes

I kind of wish that people could either report more actively* or Roblox recognizes what exploits or injects are in anyone’s game (Not saying “if you jump too high you’re kicked”, something more obvious like obfuscated code. What developer would think that’s a good idea?). We as developers have to cope with creating our own anti-cheats based on our own game’s mechanics. Roblox provides us with basically nothing except “FilteringEnabled”.

*Fast Track system is with us, sure, but people (even I have in the past) look at an exploiter and just pray that they won’t come towards us with a fling script. Nothing more.

5 Likes

As a user who has been playing games on the platform for 6+ years and has also been developing for 4 of them, its absolutely impossible for me to sit here and say that exploiting is not a problem that needs to be prioritized and fixed. Around 1/5 games have a minimum of 1 cheater no matter the game type. However, the FPS genre is where it’s especially rough where its almost every single game that has an exploiter. A notable example being Bad Business and Phantom Forces which have been swarmed with exploiters for quite some time. I actually did tests on these games because I was bored to see how many cheaters I could find, unsurprisingly out of the 10-15 test joins I did on Phantom Forces, I found 3 instances of the chat complaining about an exploiter and or the entire kill feed being 1 guy. Although I don’t have any direct tracking methods, other developers who do have also outlined how much of a problem this really is.

10 Likes

Not only do I agree with the points that OP made and can relate to many of the replies on this thread that not only is exploiting a threat to big games - but it poses a massive threat to community-driven experiences.

For the past 6 years or so, exploiting within community driven experiences such as cafes, clothing groups, and role-play games have gotten worse - for the small guy.

At Bambou alone, since 1/28/21, there has been 4,228 permanent bans - and this is not counting pre-2021.
image
Us having the experience and the resources to develop proper precautions to make it extremely hard for an exploiter to crash the game or ruin the experience for players has made a big change - but the results above speak for themselves.

The little communities that are trying to thrive and grow who don’t have these resources are constantly abused and battered by experience ruining exploits. I personally have seen small communities give up and die out due to the ongoing abuse.

I have also seen countless amount of times where big group owners(will remain unnamed) are essentially held hostage and forced into giving these exploiters some kind of compensation to stop abusing their game - and these owners, with no experience or tools to combat them, either take a massive loss of revenue or pay out to the exploiter.

This is a big and ongoing problem that has been ignored.

11 Likes

just further proves my point. exploiters just aren’t worth it to them, and they believe it’s the developer’s role to secure their games. they have strange priorities, but they’re not inconsistent with those priorities

2 Likes

Sure, but as per the first sentence of the original post

This is not a post about anti-cheats or the technical aspects of exploiting and exploit prevention.

This post is trying to bring attention to the lack of any moderation and support systems available to developers for combating exploiting. The target of this post isn’t the already heavily-discussed technical intricacies around exploits and security.

If you have technical advice to give I’d encourage you to do as the 2nd paragraph says and make a tutorial in #resources:community-tutorials

13 Likes

I would just like to muse for a moment, although I can’t test any of this.

To mitigate fling hacks:
Client-side, on Stepped, loop through every part owned by other players (i.e. anything that could potentially be used to fling) and set their Velocity and RotVelocity to zero or limit their magnitudes.
This doesn’t catch or ban the exploiters, but makes fling ineffective when someone does use it.
It might also make player movement appear choppy.

This assumes that the game’s owner even bothers to implement any of this in their game, which they won’t.

To climb onto someone’s head even when collisions between players are disabled, add a tool that adds/removes a client-side brick welded to the other player, which you can collide with.
The other player won’t be affected by this unless they also enable collisions with you.
If Roblox ever allows changing collision groups on the client side, the tool should do that instead of attaching a brick.

1 Like

I agree with this. One of the people in my school is a small developer. He does not know any 3rd or 2nd party things to keep the ban in place. Because of this, he has had to shutdown the game thus stopping his Robux income from his gamepasses. When a person with a premium subscription is in the game.

why he had to shut the game down

This is because a exploiter was using many hacks to make his car do super high speeds. fling people for no reason. teleport around maps. etc. and he got so bombarded with reports that he had no choice but to shut down his game. you are correct. if there was a tool to help deal with exploiters, then he would of kept his game up and got income continually.

8 Likes

I thought I would point out the existence of server authoritative networking, because you make it sound like there is no definitive solution to the issue of hacking. What you are doing right now is taping up the cracks of a broken pipe and complaining that your tape isn’t strong enough, when in reality what you should be doing is replacing the entire pipe with a brand new one.

I think an overreliance on Roblox to suit your every need is not healthy. You should be making feature requests (which I should also mention, this topic is a feature request and thus is in the wrong category) only once you’ve done everything you can (within reason) and found a certain goal to be unfeasible within the engine.

There in fact exists a solution, and it is achievable, as seen by multiple successful attempts at this kind of system. Then, the question should be “how can Roblox make this type of networking more prominent and accessible to developers”, not “how can Roblox help me implement bandaid solutions to this problem”.

Look into Chickynoid: Chickynoid, server authoritative character replacement

9 Likes

It’s really funny and sad to me that roblox hardly does ANYTHING about exploiters, there are so many of them nowadays. It’s literally so bad that people will literally exploit on their main account because they know damn well that Roblox will not ban them or try to stop them from using their scripts. It’s pretty annoying for both owners of big games and the players.

7 Likes