DisplayName Exploit Patch (PATCHED BY ROBLOX 8/1/2020)

Explaination
Recently, I have noticed in a bunch of games exploiters with innapropriate usernames such as this for example. I discovered that the cause of this was similar to the ways exploiters changed their AccountAge and MembershipType recently and developed a quick patch until roblox fixes it.
Script

game.Players.PlayerAdded:Connect(function(v)
	if v.DisplayName ~= v.Name then
		v:Kick('DisplayName spoofing detected.')
	end
end)

All you need to do is add this into ServerScriptService and it will detect and kick any exploiter attempting to join with a modified DisplayName.

Hope this will help until roblox themselves can push a fix to this.

19 Likes

I love this, except the exploiters could change their name after they join.

A simple fix to this is using a while loop (You can use something else because I think while loops are bad or something?):

game.Players.PlayerAdded:Connect(function(v)
    while true do
        wait()
        if v.DisplayName ~= v.Name then
		    v:Kick('DisplayName spoofing detected.')
	    end
    end
end)
3 Likes

Exploiters can not change their name after they join, it uses a flaw in the join system where it allows exploiters to modify what its saying their name is. Any attempt at change post join would not replicate (at least to my knowledge they can not do this)

5 Likes

That’s a bad practice, you can read more about that here (Avoiding wait() and why) and here (The While-Wait-Do Idiom, by cntkillme)

Instead, you must use either Item.Changed or Item:GetPropertyChangedSignal("PropertyName")

Differences: Changed event is fired when any property has changed, :GetPropertyChangedSignal() is fired each time a specific property has changed. In this case, is recommended to use the second option i said here. And the code would look like this:

game.Players.PlayerAdded:Connect(function(v)
    v:GetPropertyChangedSignal("DisplayName"):Connect(function()
        if v.DisplayName ~= v.Name then
		    v:Kick('DisplayName spoofing detected.')
	    end
    end)
end)

I hope you learned something! :+1:

19 Likes

Yeah, it could be fixed by just tweaking the code a bit like this:

function CheckDisplayName(Player)
    if v.DisplayName ~= v.Name then
	    v:Kick('DisplayName spoofing detected.')
    end
end

game.Players.PlayerAdded:Connect(function(v)
    v:GetPropertyChangedSignal("DisplayName"):Connect(function()
        CheckDisplayName(v)
    end)
    CheckDisplayName(v)
end)

Correct me if im wrong.

4 Likes

I guess I was getting on to something here, but I was kinda rushing idk

1 Like

you could simply put a script in StarterCharacterScripts

script.Parent.Humanoid:GetPropertyChangedSignal("DisplayName"):Connect(function()
     game.Players:GetPlayerFromCharacter(script.Parent):Kick("ew no stinky DisplayName spoofing 🤮🤮🤮")
end)

See? Only 3 easy to read lines of code.

Also btw DisplayName is in a humanoid, not player.

DisplayName is on Player and Humanoid, Exploiters are setting DisplayName on the Player which roblox reads when setting the Humanoid property

3 Likes

Also I forgot to mention that ive seen exploiters set their DisplayName to extremely long strings which is causing players to crash, the only way to prevent this via a script is reading the player DisplayName so it never renders in

1 Like

You could just delete the script.

1 Like

This exploit relies on modifying the auth packet sent to Roblox when a player first joins a server, so you only need to check once, as changing their DisplayName from the exploit after authentication will not replicate (and can only be seen by the client). And, regarding this:

There’s one issue though, if an exploiter changes the DisplayName before the script has loaded (if I recall correctly, Synapse X has an “auto execute” folder)

Pretty sure PlayerAdded will only be invoked once the server receives authentication and the client will be disconnected if they haven’t sent authentication within 10 seconds.

3 Likes

Thanks for the advice, i just keep scripts longer to make them more organized, and less confusing. But i still appreciate your advice :+1:

Pretty sure that the purpose of DisplayName is for China users to be able to show their name without Roblox storing them for logins (since chinese chars). Therefore games for China audience should probably not do this.

i doubt that there is anyone in the PRC that uses this version of the dev forum lol (nor any games on the site that come from outside china that they can even play)

if the DisplayName changes before the scripts, and the .Name does not, then the aforementioned code works even better…

Synapse X fires a DisplayName change --> Ingame exploit detector (PlayerAdded()) checks that DisplayName == Name --> kick…

On the flip side, if SX fires it AFTER the server executes its Added() checks, you’d need to check for Changed() events, but hopefully by then the changed events should fire normally.

Just in case, you can hardcode a 1 second wait into the PlayerAdded() check, since I don’t believe startup takes that long? I.e

Why not use GetNameFromUserIdAsync, it works well.?
Example

game.Players.PlayerAdded:Connect(function(Player)
	local RealName = game.Players:GetNameFromUserIdAsync(Player.UserId)
    if Player.DisplayName ~= RealName then
		Player:Kick('Ping spoofing detected.')
	end
end)
1 Like

it isnt nessessary to use it here because they cant modify their Name property

There seems to be a lot wrong with these replies, the only script you need that is said here is the PlayerAdded in ServerScriptService that checks if the display name does not equal the Username.

The reason for this is simple, the exploiters are pausing the network request and manually editing the packet sent to the actual Roblox server. Aka they’re changing the packet before it gets sent to Roblox.

SynapseX was mentioned here, but it-itself cannot change the user display name and replicate to other clients so it’s useless to add a localscript.

Another item mentioned here, using “GetPropertyChangedSignal” will not work in this occasion because the DisplayName changes before the client even loads.

So TLDR: They can’t change their name via SynapseX / Any client exploits. Only the ServerScriptService playeradded script is needed.

3 Likes

Fun fact: They dont use synapse to bypass this, they use a web debugger tool called fiddler.

That exploit is old school 2014, I did some research on it.