Roblox should really do something about the current exploits. It does NOT matter if a game is FE or not but exploiters can just edit server scripts. it is ridiculous that this is even possible, and a danger to all games out there.
here’s a screenshot of a guy who actually did this.
You can see in the screenshot that they can see the ancestry of all replicated instances. The source of server scripts should not replicate to clients AFAIK, and if you stick your server scripts in ServerScriptService the objects should not replicate at all.
If changes made to local scripts allow someone to cheat in your game, this seems more like bad programming practice. Sure they can patch an exploit perhaps by switching data in memory, but there is just going to be another exploit in a week or so. You have to assume an exploiter can execute code locally and can edit local scripts, that’s just how it is. Best thing to do is have someone audit your game for potential vulnerabilities.
The source of server scripts is not replicated to clients, and if the scripts are in ServerScriptService the objects do not replicate to clients entirely. Staff have mentioned they put a million R$ bounty on an exploit that can see server script source in the past, and no one has claimed that recently. This is really unlikely.
This doesn’t mean you are automatically exploit-free, you need to code your game with good practice and security in mind as well. If you let players adjust their stats to whatever they want through remotes, then having FE doesn’t help you.
The scripts on the the sever are all located in ServerSciptService, he still edits them.
I’m not stupid, i know what FE means and what it does.
Local is NOT a problem, i procted it all for that. But serverside editing is something i can’t do much about.
If you have any admin with loadstring capabilities (pretty much all of them – some even work with ServerScriptService.LoadStringEnabled disabled), that might be the issue. There might be some vulnerability in the admin which lets anyone run commands, including script-running. If you have admin commands in your game, you could try removing them and seeing if that helps with the server script editing. If you don’t, they could be inserting them from your models (apparently this is only an issue with non-FE games, but you could remove them from your models to be on the safe side)
How do you know this? How are server scripts’ behaviors changing?
Are you 100% sure that the source of global scripts can be edited and this isn’t a hoax to scare you?
Just confirming, you’re aware that the script he’s editing is in his Player rather than ServerScriptService, right?
Are you sure PlayerScripts, parented to the Player in this screenshot, isn’t a LocalScript?
If #3 is affirmative, does the code in the source window match the actual source code of the script?
Has this exploit proven itself able to view and edit the source of your global script code in any other way?
Why would they target just your game and Lords of Nomrial?
I know that nowadays, skids who buy their exploits off of v3rmillion talk out their asses with absolutely no idea what they’re saying, just trying to sound impressive. Things like “I HAVE LEVEL 7 SERVER SIDE BYPASS EXPLOIT CODE EXECUTION” is common jargon they like to throw around (even though it’s false and nonsensical)
Also, apologies if you’ve already answered any of the questions I’ve asked or they’re obvious. Just confirming.
still gathering some information of the server side editing,
it is a localscript
those are the 2 i know of
This might clear up what i mean:
The lords of nomrial is also an FE game, the exploiter could still change anyone’s stats regardless of it being FE. not through events but by changing the source directly.