I recently got sent a script that can crash any server on my game. After digging through the script a bit more I found that it works with any game that has roblox chat (of course testing it on my own games). The code is obfuscated but from what I can tell its using the roblox chat service to send millions of characters of data to the server. With this the ping increases by a lot and eventually crashes the server. This is a big problem that threatens any game with the roblox chat and needs to be fixed.
An output of what it looks like after running the script:
For now I will be using my own custom chat for my game as its a big issue for my game but this is mainly to warn other developers about using default chat.
For clarification this is run on the client in a localscript
If this is a script, shouldn’t this not be a problem because only the server can run scripts? This would only be a problem if it were a LocalScript, and I’m pretty sure ROBLOX disregards messages if messages are being spammed anyways, which makes this ineffective. This is only a problem on the server side, so wouldn’t that mean the solution is to simply not put such a script into your place?
I believe this is like saying that a script was sent to me that kicks all the players in a server. This could only happen on the server side so the solution is to just not put such a script into your place, as no script kiddie would be able to manipulate the server unless there’s a MAJOR security flaw, which is extremely unlikely.
If we call this post an exploit, then “exploits” are super easy to write in order to crash a server. Just take a loop and spawn loops in that loop and boom, too much memory is used and causes the server to crash.
TLDR
The awesome post below me from @Boele009 explains all of what I just said in one or two sentences.
Of course you can crash the server with a server-sided script; but exploiters can’t make a server-sided script, only a local script and that only let the player him/herself crash. So this isn’t a big problem I think
I’m assuming that this is a LocalScript that spams a RemoteEvent with an excessive amount of characters to lag the server. You should add a check to the default chat which kicks anyone who sends a message that is more than 300 characters long. Default chat doesn’t let you type that much by hand, and what you’re describing would trigger this to kick the player after their first :FireServer.
Either way, you’re still pressuring the server with 50 kb of garbage that it needs to process every second, even if it’s disregarded halfway through the pipeline.
You’re still running under the assumption that the default chat system filters excessively long messages. Sadly, this is not the case (take a look at ChatServiceRunner, line 145 where SayMessageRequest is handled). If the specified channel is “All” (usually done to lag out other clients), the attacker is having the server flood the remote event queue for all clients by hitting the 50 kb/s send/receive limit.
I do agree that you can look through the chat script and add a max characters but this also an issue with Roblox. Many games rely on the default chat and don’t know or don’t have the time to add their on patch to Roblox’s chat.
This does not mean in any way that it needs to be fixed. As said from the start, this isn’t really a problem because as @wow13524 said, the game would kick the player.
It likely kicked everyone because everyone had that LocalScript.
Now, to readress @wow13524 after rereading, this is a perfect solution. Kicking players for going past 300 characters would be a quick and easy fix to the problem.
Again, this is a snippet of code that one would inject into the game. It wouldn’t replicate to anyone else, but its purpose is to inflate the ping of everyone else in the game until they get kicked.
That’s a great idea, and exactly what my team is aiming to do as well. The default chat system doesn’t suit our needs and seems to need a lot of patchwork and involvement to get it to function the way we want.
