Exploiters have too much power

Roblox should really do something about the current exploits. It does NOT matter if a game is FE or not but exploiters can just edit server scripts. it is ridiculous that this is even possible, and a danger to all games out there.
here’s a screenshot of a guy who actually did this.

The guis with the green borders, is the exploit.

Edit: this is The Lost Runner, which is FE.

4 Likes

Do you know if any other games were targeted by this new exploit? I wonder if there is an exploit with a particular networked object or not.

1 Like

i know The Lords of Nomrial was to.
Edit: which is also an FE game.

3 Likes

Sounds like more of a general complaint than a bug report.

I can’t report about something i know nothing about. This is also for ‘Exploit’ reports. what this is. The admins or other users may know more about this.

You can see in the screenshot that they can see the ancestry of all replicated instances. The source of server scripts should not replicate to clients AFAIK, and if you stick your server scripts in ServerScriptService the objects should not replicate at all.

If changes made to local scripts allow someone to cheat in your game, this seems more like bad programming practice. Sure they can patch an exploit perhaps by switching data in memory, but there is just going to be another exploit in a week or so. You have to assume an exploiter can execute code locally and can edit local scripts, that’s just how it is. Best thing to do is have someone audit your game for potential vulnerabilities.

2 Likes

They can’t do harm local, but this one can just edit serverscripts, and that’s what bugs me. The game is FE.

The source of server scripts is not replicated to clients, and if the scripts are in ServerScriptService the objects do not replicate to clients entirely. Staff have mentioned they put a million R$ bounty on an exploit that can see server script source in the past, and no one has claimed that recently. This is really unlikely.

This doesn’t mean you are automatically exploit-free, you need to code your game with good practice and security in mind as well. If you let players adjust their stats to whatever they want through remotes, then having FE doesn’t help you.

The scripts on the the sever are all located in ServerSciptService, he still edits them.
I’m not stupid, i know what FE means and what it does.
Local is NOT a problem, i procted it all for that. But serverside editing is something i can’t do much about.

In any case, if you know the name of the exploit and where to download it, it should be included in the post. Not sure if staff will be able to do much with just a screenshot of a tool.

Once i have that information, i will include it in the post.

I highly doubt that.
Also, that screenshot is taken from the exploiter’s screen?
He could’ve taken a picture of a white wall and say it’s the back of a famous painting.

cough

You got any proof he actually edits them?

I don’t see the server-side services in your screenshot, and this

should be the other way around.

2 Likes

If you have any admin with loadstring capabilities (pretty much all of them – some even work with ServerScriptService.LoadStringEnabled disabled), that might be the issue. There might be some vulnerability in the admin which lets anyone run commands, including script-running. If you have admin commands in your game, you could try removing them and seeing if that helps with the server script editing. If you don’t, they could be inserting them from your models (apparently this is only an issue with non-FE games, but you could remove them from your models to be on the safe side)

How do you know this? How are server scripts’ behaviors changing?

i don’t use admin scripts.
the person who sent me this image, told me that he could edit them, Yet i’m still waiting for further response from the person.

So you’re believing that server scripts can be edited… because some random person told you they could?

1 Like

not some random guy, in real friend of me. He has been speaking to this person, i’ll try to get more info about the exploit however.

Why wouldn’t he have the ServerScriptService on the GUI if he’s got all the other services?

The source code literally looks like an image smacked onto the old in-game explorer GUI from 2012 with some sort of photo editing software rather than actually being part of the exploit.

I have questions for @Nitefal:

  1. Are you 100% sure that the source of global scripts can be edited and this isn’t a hoax to scare you?
  2. Just confirming, you’re aware that the script he’s editing is in his Player rather than ServerScriptService, right?
  3. Are you sure PlayerScripts, parented to the Player in this screenshot, isn’t a LocalScript?
  4. If #3 is affirmative, does the code in the source window match the actual source code of the script?
  5. Has this exploit proven itself able to view and edit the source of your global script code in any other way?
  6. Why would they target just your game and Lords of Nomrial?

I know that nowadays, skids who buy their exploits off of v3rmillion talk out their asses with absolutely no idea what they’re saying, just trying to sound impressive. Things like “I HAVE LEVEL 7 SERVER SIDE BYPASS EXPLOIT CODE EXECUTION” is common jargon they like to throw around (even though it’s false and nonsensical)

Also, apologies if you’ve already answered any of the questions I’ve asked or they’re obvious. Just confirming.

7 Likes

still gathering some information of the server side editing,

  1. Not yet
  2. Yes
  3. it is a localscript
  4. yes
  5. no
  6. those are the 2 i know of

Edit:
This might clear up what i mean:
The lords of nomrial is also an FE game, the exploiter could still change anyone’s stats regardless of it being FE. not through events but by changing the source directly.

1 Like