DisplayName Exploit Patch (PATCHED BY ROBLOX 8/1/2020)

It also requires you to use windows 10 roblox, lol. and even though it is old school, its still used. there was a video about the spoofing method made by sirmeme which is why its popular

Not true, aside from that, you can still prevent this as a developer until roblox pushes an official patch.

Exploit was reported more than a year ago.

Read more on the engine bug here.

1 Like

Not true, aside from that, you can still prevent this as a developer until roblox pushes an official patch.

Do you mean the fiddler part isnā€™t true? because i donā€™t think they use synapse to spoof. i looked and i couldnā€™t find anything that uses synapse, and theyā€™d have to use it in autoexecution. however, there was a video on how to use it with fiddler

I only know of one exploit software that released a built-in spoofer which no longer works, fiddler will still work because thatā€™s manipulating the network packet manually before joining.

Any exploit directly using a built-in spoofer method is patched, the only remaining way is using a packet sniffer.

I am quite obviously not going to go into detail to prevent people from abusing this, Roblox should come out with an official patch soon.

Yeah I know all other methods were patched.

Also a few questions, how come you can only spoof your display name + account age, and not your userid or username/anything else?

Can you also explain the packet sniffing method to me AFTER its patched, as I am curious on how it works?

Well it can kinda be explained like this:

User presses "PLAY" on a Roblox Game.
|
\/
User starts sending neccessary network packets required to join the server 
and load player details.
|
\/
During this time, you start capturing and recording packets, it is then possible
to EDIT the content of each packet, so the packet we edit contains this JSON
parsed data:


This is not my image, I got this from someone who told me about it.

|
\/ 
We can now edit that field and resend the packet if the sniffer has such a feature.
|
\/ 
The original packet has now been edited and the Server will use this altered info
instead.

Iā€™d rather not answer the first question.
I hope this provides some basic insight to how it actually works.
Explanation for educational purposes only.

Thatā€™s a good looking script my friend!
I believe the engineers have pushed out a rapid patch and it will most likely be fixed platform wide soon! :heart:

It doesnt work anymore, its patched

1 Like

Great to hear that itā€™s patched! Iā€™ve been seeing this too often, itā€™s pretty deadly, but now itā€™s harmless :sunglasses:

Decent script this sure be useful for my game but it definitely wonā€™t kick random people who just trys and joins the game?

Just in case, im gonna use it :wink:

This should be patched now.

In the future, DisplayName will often not be the same as UserName. So I wouldnā€™t keep the script around long-term. For the weekend and possible a bit longer, DisplayName and UserName will be the same ā€“ even if the user has a different DisplayName. (I think it is mostly test accounts that have different DisplayName.)

You canā€™t spoof userid because part of this data is a digital signature of select fields. when the server reconstructs the signed message from these fields, it will not be able to verify that the signature is correct. More fields have been added to this.

10 Likes

Thatā€™s nice to hear! Iā€™ve seen multiple exploiters do things like this though I donā€™t know if itā€™s name spoofing because they had a username longer that 20 digits.

Talking about exploiters do you guys have plans to stop them completely?

Thereā€™s no way to completely stop exploiting.

5 Likes