I was wondering how does an Exploit access a RemoteEvent, can they modify something using just a localscript or script? How can I protect my remote events?
please help me, my game is getting famous and many Expliters are coming
2 Likes
To answer your first question:
You need to know that every exploiter is using something called an executor, this executor only runs on the client which means they can do anything what the client can do, which also means they can do:
RemoteEvent:FireServer()
To answer your second question:
No they can not modify anything that is not client-sided, the client can not view the ServerScriptService or the ServerStorage since these are only meant for the server
To answer your third question:
To protect your RemoteEvents you need to check if the client is allowed to, do not check this on a localscript since an exploiter can just ignore these, always check something on a server script, exploiters can not view these scripts unless you’ve got a backdoor / virus inside your game, also always put your server scripts into the ServerScriptService.
They can only modify Straight up values and ModuleScript values, but they can only modify things that are replicated across the roblox server/client boundary. Most exploits will run on Level 6 or 7, which is basically their environment permission level, level 10 being MAX and level one being garbage, Roblox studio and the command line runs on Level 4, while plugins run on Level 5 (Access to CoreGui)
2 Likes
wow, that helped me a lot i will check everything now on the server side, last question, explorers can mess with MoguleScript in ReplicatedStorage
Well the ReplicatedStorage is a storage service which the client and the server have access to, ModuleScripts are just code containers, if you make a modulescript think about who is needing this, if only the server needs that modulescript, put it into the ServerStorage, if the server and the client needs that put it into the ReplicatedStorage, but if you don’t want anyone to read that modulescript while it is inside the ReplicatedStorage you can just put it into the ServerStorage and use a RemoteEvent or a RemoteFunction which will do your stuff inside the ServerScriptService and send it back to the localscript
ok, thanks for the help, you just improved my roblox experience 
1 Like
Is script inside a Guide vulnerable?
What do you mean under guide? 
Script in StarterGui
30 charrr
Sorry, i speak portuguese.
30 chars
I personally never used a script inside the StarterGui since i’ve never seen a use for it inside of there, just a quick hint, everywhere where you can put a localscript into, the client has access to that service aswell
ok, thanks
30 charrrrsssssssss
1 Like
Also I know it isn’t what you asked but is a great tip nonetheless: I would only trust scripts from the developer(wiki) and the devforum tutorials(or someone very reputable like a community sage). I’ve seen some youtubers make a showcase for a script, then include a pastebin link for the script. Inside the pastebin is another link that takes you to some oddball website that will probably infect your device.
This advice is all encompassing, meaning don’t trust models with scripts in them or plugins (unless you do your research to confirm the owner of the plugin is reputable). Also, don’t accept modules that you must require by ID.
Please be extra cautious when dealing with other people’s code.
ok, thanks for your tip, I’ll use this from now on
So it’s important to keep in mind that exploiters can (and probably will) modify anything and everything on the client. This includes intercepting remotes, firing ClickDetectors from a distance, and triggering other parts of the game they normally could not.
When you’re making your game, it is essential for security that you:
- Implement serversided ‘sanity’ checks for your game. (e.g. is the player actually close enough to trigger this event, or can they actually afford the item they are attempting to buy)
- NEVER rely solely on remote codes/hashes/encryption to secure your remotes, exploiters can and will use your own security measures against you.
- Only utilize the client for user input and user display, keep as much logic as possible on the server.