Malicious users took away my limited item by injecting a script into the experience while the prompt itself hasn’t even been set up yet:
Item link: Tercyduk - Roblox
Expected behavior
Items should not be able to be taken when prompt is inactive/not set up yet by the developer
A private message is associated with this bug report
Thank you for the report. We have assigned this to our team for further investigation.
Do you perhaps have an admin system in your experience? There is unfortunately a known vulnerability with one of the popular admin systems which has a “!buy-item” command which prompts purchases on the server of any asset the requester wishes.
Hi, Sorry to hear about the trouble with malicious users. Based on the video it looks like the malicious user is triggering a remote event with the assetId of your item from a local script. Has the capability to trigger a purchase prompt by having a local script to trigger a server script function with an assetId may have been implemented in your experience?
Unfortunately local scripts on Roblox are not secure and users using hacked clients can add their own scripts to call your remote events defined in a creators server script. One solution to this would be to implement checks in the server script to ensure that certain conditions have been met before triggering the purchase prompt. After careful examination, we confirmed that the reported behavior is by design.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.