So I don’t have any plugins, I don’t have any viruses, free models, remotes, etc. but a exploiter still managed to see my server script. I am still wondering how thats even possible because of the nature of serverscripts, its like those “bigfoot caught on cam” type of things except I am the cam, because this exploiter messaged me my server script in like a pastebin and I was shocked to see it was exactly correct.
I have a theory: I am guessing this exploiter had some serious networking and cryptography knowledge or something because I think it is impossible to access server scripts using conventional exploiting methods if I am correct.
EDIT: He can’t change any server scripts but he still managed to decomplie it from its source.
Probably because you have a weakness/backdoor in your game, maybe you have a team create member that’s gone rouge, it could be anything really. I highly doubt that it’s anything related with networking or anything likewise.
That is the mysterious part, I don’t have any plugins, I checked, because I never downloaded any plugins since the start of like forever and team create is OFF.
I am very confused, its like you wonder how somethings happen that aren’t supposed to happen.
If the server script includes comments or variable names or preserves your formatting, it wasn’t decompiled. Someone developing your game (including you) is either compromised or leaked it.
If it looks decompiled, then it’s probably still the same as above because server scripts can’t be decompiled.
Thank you to everyone who added suggestions, but the truth is I don’t have any things on my game that can cause people to inject backdoors, perhaps they inject it from my local machine?
EDIT: @Autterfly I realised people can hack my account but I think that is unlikely because of 2FA correct me if I am wrong.
Server Script ByteCode isn’t sent to the local clients - Making it impossible to Decompile.
You would probably do a Sign out of all Sessions or change your password. There is a very slim possibility of this, but you account could be compromised and that is how he is retrieving this data. Again, a very small possibility bu tit is work a shot.
So, he got the source code to a server script. Do you know if you change the code right now, can he get the updated version? You might want to check that because you may have already removed the backdoor.
I know you said that you checked everywhere for a backdoor/problem, but if the problem is still arising, then it’s obvious that there is a hole somewhere in your security. Another question, have you shared the code with anybody?
Another culprit can be sending hints or parts of code through remote events to the client. If your code was taken from somewhere else, then he might have just searched up how your code functions and got the source. Lastly, the culprit could actually be if you are using HTTP requests to access the code this can easily be logged by an exploiter and will reveal the source code.
If none of this helps, you could try turning off HTTP requests just an extra measure and see if that does anything. (Backdoors cant send data out of your game to Discord Webhooks if it is off, and it will error in the console, giving the script away).
Yes, I know. But if someone has already got his .ROBLOSECURITY cookie then two-step verification is useless. It would be best to sign out of all sessions to reset the cookie if anybody has it.
I think even if they had a backdoor in their game, it would run at regular server script permissions and nothing greater. The Source property in scripts can only be used by plugins to write their scripts in the game, so it’s most likely a rouge dev
Most backdoors have an https check, so if it’s off, it’ll do their bypass (tp’ing to another game, logging, then tp’ing back), though Roblox did add a setting which blocks this
The only thing that can read source from a script and send it off in a Discord Webhook, etc is with using a plugin. Exploiters can only decompile Local and Module scripts if they are not in the parent of Server Script Service or Server Storage since the client cannot access that.
I know these kinds of scams, what I didn’t know is that discord has a single cookie throughout which means hackers could repetitively get into your account even if you try to prevent that from happening.
