DisplayName Exploit Patch (PATCHED BY ROBLOX 8/1/2020)

it isnt nessessary to use it here because they cant modify their Name property

There seems to be a lot wrong with these replies, the only script you need that is said here is the PlayerAdded in ServerScriptService that checks if the display name does not equal the Username.

The reason for this is simple, the exploiters are pausing the network request and manually editing the packet sent to the actual Roblox server. Aka they’re changing the packet before it gets sent to Roblox.

SynapseX was mentioned here, but it-itself cannot change the user display name and replicate to other clients so it’s useless to add a localscript.

Another item mentioned here, using “GetPropertyChangedSignal” will not work in this occasion because the DisplayName changes before the client even loads.

So TLDR: They can’t change their name via SynapseX / Any client exploits. Only the ServerScriptService playeradded script is needed.

3 Likes

Fun fact: They dont use synapse to bypass this, they use a web debugger tool called fiddler.

That exploit is old school 2014, I did some research on it.

It also requires you to use windows 10 roblox, lol. and even though it is old school, its still used. there was a video about the spoofing method made by sirmeme which is why its popular

Not true, aside from that, you can still prevent this as a developer until roblox pushes an official patch.

Exploit was reported more than a year ago.

Read more on the engine bug here.

1 Like

Not true, aside from that, you can still prevent this as a developer until roblox pushes an official patch.

Do you mean the fiddler part isn’t true? because i don’t think they use synapse to spoof. i looked and i couldn’t find anything that uses synapse, and they’d have to use it in autoexecution. however, there was a video on how to use it with fiddler

I only know of one exploit software that released a built-in spoofer which no longer works, fiddler will still work because that’s manipulating the network packet manually before joining.

Any exploit directly using a built-in spoofer method is patched, the only remaining way is using a packet sniffer.

I am quite obviously not going to go into detail to prevent people from abusing this, Roblox should come out with an official patch soon.

Yeah I know all other methods were patched.

Also a few questions, how come you can only spoof your display name + account age, and not your userid or username/anything else?

Can you also explain the packet sniffing method to me AFTER its patched, as I am curious on how it works?

Well it can kinda be explained like this:

User presses "PLAY" on a Roblox Game.
|
\/
User starts sending neccessary network packets required to join the server 
and load player details.
|
\/
During this time, you start capturing and recording packets, it is then possible
to EDIT the content of each packet, so the packet we edit contains this JSON
parsed data:


This is not my image, I got this from someone who told me about it.

|
\/ 
We can now edit that field and resend the packet if the sniffer has such a feature.
|
\/ 
The original packet has now been edited and the Server will use this altered info
instead.

I’d rather not answer the first question.
I hope this provides some basic insight to how it actually works.
Explanation for educational purposes only.

That’s a good looking script my friend!
I believe the engineers have pushed out a rapid patch and it will most likely be fixed platform wide soon! :heart:

It doesnt work anymore, its patched

1 Like

Great to hear that it’s patched! I’ve been seeing this too often, it’s pretty deadly, but now it’s harmless :sunglasses:

Decent script this sure be useful for my game but it definitely won’t kick random people who just trys and joins the game?

Just in case, im gonna use it :wink:

This should be patched now.

In the future, DisplayName will often not be the same as UserName. So I wouldn’t keep the script around long-term. For the weekend and possible a bit longer, DisplayName and UserName will be the same – even if the user has a different DisplayName. (I think it is mostly test accounts that have different DisplayName.)

You can’t spoof userid because part of this data is a digital signature of select fields. when the server reconstructs the signed message from these fields, it will not be able to verify that the signature is correct. More fields have been added to this.

10 Likes

That’s nice to hear! I’ve seen multiple exploiters do things like this though I don’t know if it’s name spoofing because they had a username longer that 20 digits.

Talking about exploiters do you guys have plans to stop them completely?

There’s no way to completely stop exploiting.

5 Likes