I’ve seen this method used by exploiters to load custom scripts/models into a game. It disregards the security requirements of InsertService, which poses a huge problem.
Any developers have a use for this, or can it be deprecated/locked on all levels?
If it does have a use, I suggest that it meets the requirements of loading assets via InsertService:
“When inserting a model, the model being inserted must be owned either by the creator of the place or the user “ROBLOX”.”
“When inserting a model on the client (via a Local Script), the model must also have been created by the place creator or by ROBLOX. If your game needs to insert an asset in a Local Script, use a RemoteEvent or RemoteFunction like in this Example.”
“The model must be trusted, otherwise any scripts it contains won’t be inserted.”
GetObjects is a) unavailable from regular scripts, b) local (e.g. fetches asset from the process that asked for it, unlike InsertService)
Since you (to the best of our knowledge) can not elevate script permissions except for client-side hacks, exploiters should only be able to call this on a (hacked) client. So you can’t inject server scripts with this (which was the problem with InsertService btw), you can only make it easier to execute exploit code by loading it from a model locally.
[quote] GetObjects is a) unavailable from regular scripts, b) local (e.g. fetches asset from the process that asked for it, unlike InsertService)
Since you (to the best of our knowledge) can not elevate script permissions except for client-side hacks, exploiters should only be able to call this on a (hacked) client. So you can’t inject server scripts with this (which was the problem with InsertService btw), you can only make it easier to execute exploit code by loading it from a model locally. [/quote]
Exactly, it allows people to load up parts + localscripts that are not created by the owner, I’m asking if there’s a legitimate backend use to this, considering we don’t have access to it.
[quote] > I’m asking if there’s a legitimate backend use to this, considering we don’t have access to it.
We do use it for our purposes on the server.
I don’t think we ever use it on the client, but it is exposed to plugins so you can use it in Studio… [/quote]
We can probably make it server-side only. Note that - assuming a hacked client - there are also other methods that are good candidates for the attack you’re talking about, e.g. DataModel:get() and Workspace:InsertContent.
We can probably make it server-side only. Note that - assuming a hacked client - there are also other methods that are good candidates for the attack you’re talking about, e.g. DataModel:get() and Workspace:InsertContent.[/quote]
That would be wonderful if that was server-side only, there’s no reason to have it unlocked on the client if it’s not being used on the client.
I don’t see the get() method documented anywhere, so that’s a good thing.
What exactly is the difference between :InsertContent() and :LoadAsset()?