Below post was based on misinterpretations of Roblox’ inner workings. The only risk PromptGamePassPurchaseFinished has is being able to re-trigger the signal. Read more
As the PromptGamePassPurchaseFinished event is unverifiable and fired from the client, it is unsafe to use this for granting perks. Preferably, a warning box should explain the risk of using this event.
Firstly, this is a bit of an iffy situation because there’s no real evidence other than a few low-quality videos of the supposed “exploit” in action. There’s been no source code provided and from what I can gather, the main issue is with PromptProductPurchaseFinished which is already deprecated and it states on the documentation to not use it for handling successful purchases.
If the issue does actually affect PromptGamePassPurchaseFinished, it is severely critical and the root vulnerability should be flagged with Roblox engineers ASAP rather than asking them to update the documentation to say that their systems are insecure.
P.S. Didn’t you state it was not a vulnerability, but rather a lack of knowledge to do with scripting yourself?
The entire discussion around this supposed exploit has really confused me as an experienced programmer who has had to patch methods of faking purchases in my games - the details are very mixed and unclear and if this vulnerability has existed for years, why is it only being brought up now? Where is the actual source code behind it and how it is accomplished? I really do doubt that Roblox would overlook this in their development of gamepasses.
For your verification, this is the tracked file for version 0.594 (7 months ago). As you can see with the LocalPlayer reference (and CoreScripts in general), this is a client-side script:
I have verified that this file remained unchanged in the latest version (file path: AppData\Local\Roblox\Versions\version-e2728ac197f84660\ExtraContent\scripts\CoreScripts\Modules\PurchasePrompt\Thunks)
A HackerOne issue has allegedly been marked as duplicate [source]. Roblox is aware but there’s understandably no direct solution to this:
Let me clear it up for you. There’s a reason why this affects only a small amount of games. We all use :UserOwnsGamepassAsync() to check if the player owns a gamepass. Some of us want to make the player experience better by granting the perks on purchase instead of rejoin (since :UserOwnsGamepassAsync() is still cached as false)
Unfortunately, this event is not safe to rely on by design, given that the client can trigger it and there’s no way to verify it server-side.
This is not a flaw, it is simply not intended for granting perks. This should explain my comment as well:
I appreciate you doing some research. I described it as “learning issue”, since the documentation is misleading on this right now. As long as the event is unverifiable, it should NOT be used for granting perks.