I’ve got a bunch of questions regarding CoreGui and it’s accessibilities.
First of all.
HOW do exploiters can access coregui if their script that gets attached is just a localscript but in nil?
HOW come their scripts can access to it by simple just using local gui = game:GetService("CoreGui"), whilst normal localscripts cannot?
WHY do clients have access to coreguis in the first place? You can’t access it on studio then why should you access it on the client(Player)?
WHY does it not have any securities or prevention? Why can’t roblox just implement a simple security that detects that a non-normal gui has been inserted by the client? They have all the powers to prevent this (CoreScripts) and (ChildAdded).
WHY does it not error lacking permission when exploiters try to access coregui service? Does that mean that their scripts have higher permissions than normal localscripts? Despite being just in nil?
I can give the why. It’s because you can’t detect it. Meaning they can put Gui in there and it would not be detected.
Also I agree with this
I’m aware you can’t detect anything in coregui, but it still doesn’t make sense that they can do anything with a service that is locked to “roblox” only with no consequences.
The simple answer is because exploits have the ability to run at an identity level that has the permissions to access CoreGui (along with many other protected Instances/properties/methods).
It should also be noted that exploit code doesn’t really use a script, and it is just there for compatibility reasons. Code from exploits are ran on their own threads that have higher permissions than normal client code does. Where the ‘scripts’ are located has nothing to do with their permissions (unless the script is a CoreScript from Roblox).
What kinda ability is that? Why does roblox not disallow that? To answer my question on why they have no security to prevent anything from inserted in coregui?, Does roblox not care about security at all? If they’re gonna have metaverse, they need security and response from their consumers.
I’ll 100% assure you that no big metaverse company is gonna like it when another company that’s related to their scheme has no absolute security or care on their own users.
Not to mention that the sponsored experiences and other metaverse related experiences have their own exploits released on day one, with no awareness to the company thats sponsoring, and they’re not gonna like it when their ADs has no security.
Roblox does a lot to prevent cheating with the available resources they have. The reason exploiters can still do this is the reason that every single game on the market has exploits: client-sided security can be bypassed. They can’t just ‘prevent’ things from being inserted into CoreGui because exploiters can just find ways to bypass that check (most exploits also now have a replacement for CoreGui that is completely undetectable by scripts so that wouldn’t even do anything). CoreGui is about the least of Roblox’s worries in terms of security, and Roblox already has a lot in place to try to mitigate cheating.
Yes they can,It’s their own service if normal scripts can’t even read the service, they can prevent anything from being inserted, reminder that corescripts exist for this reason.
No, they can’t. Exploits bypass any checks… that’s how they even function to begin with. CoreScripts don’t exist for the purpose of preventing cheating, they exist for handling certain game elements such as the escape menu and other internal elements.
Then how come when somebody tries to access CoreGui to prevent cheaters, roblox comes in and instantly patches it for “security reasons”?
Why can’t they do the same here?
Also corescripts are the main reason that normal scripts can’t access coreguis.
HOW do exploiters can access coregui if their script that gets attached is just a localscript but in
nil?
HOW come their scripts can access to it by simple just using
local gui = game:GetService("CoreGui"), whilst normal localscripts cannot?
WHY do clients have access to coreguis in the first place? You can’t access it on studio then why should you access it on the client(Player)?
WHY does it not error
lacking permissionwhen exploiters try to access coregui service? Does that mean that their scripts have higher permissions than normal localscripts? Despite being just in nil?
Exploits basically have a full control over everything that happens on the client’s Roblox process, since they(Client) are literally the one who is running everything. They can just say “I am the core identity here” and have everything unlocked to them.
Studio have permission restrictions put by Roblox team so you wouldn’t mess everything up by deleting some file in CoreGui, while the Client itself can just bypass it due to it running in an local environment.
Also the script being parented somewhere have no correlation to what it can access, as it’s just used more for the management really.
WHY does it not have any securities or prevention? Why can’t roblox just implement a simple security that detects that a non-normal gui has been inserted by the client? They have all the powers to prevent this (CoreScripts) and (ChildAdded).
CoreScript could easily be deleted I assume /shrug
It’s like you battling exploiters with LocalScripts, they just delete the measures and walk free, doing everything they want. Adding layers on top of layers of protection would just really delay the inevitable, which roblox team constantly does by having roblox hashes updated each thursday.
Because it can be easily abused, for example showing a custom UI over the leave button, or showing a UI over the purchase product button (which was abused before and scammed people out of their robux)
Also corescripts are the main reason that normal scripts can’t access coreguis.
Incorrect, internal script context levels are the reason that normal scripts cannot access CoreGui.
Then how come when somebody tries to access CoreGui to prevent cheaters, roblox comes in and instantly patches it for “security reasons”?
This is because normal scripts accessing CoreGui can be used maliciously for phishing/scamming purposes and other harmful actions. The whole reason Roblox prevents certain functions and Instances from being accessed is to prevent developers from abusing their abilities to execute malicious code. Exploits bypass these protections and gain access.
On the client:
The injects they use allow them to execute code on a higher permission level, like what @bmcqqq said.
On the replicated scripts:
Exploiters find a way to bypass CoreGui and place misleading or misinformation in core GUI to make it look like you are purchasing a 2 R$ hat when it is actually 1000 R$. This is just an example.
CoreGui exploits are very important to patch because they contain GUI that contains important information and is not intended to be modified.
How can a simple ChildAdded be abused?, If that’s not the case why not make a simple function who’s only purpose is for coregui detection? Basically only have it read anything being added with a simple server-sided kick function alongside with it? (Just like how GetPropertyChangedSignal() only works with properties.)
Why not do the same for the client too? Have an external detection at this point.
Because in that .ChildAdded function, a player could have added a new instance that’s a ScreenGui or worse.
They already attempt to do this, but it’s nearly impossible as exploit developers are very knowledgeable and patch them quickly. It isn’t as easy as you might think to patch these.
Kernel anti cheats are always possible. (Just look at valorant)
I don’t think you quite understand how exploiting works. Anything the client does can be bypassed by exploiters. A ChildAdded connection can be removed by an exploiter in a single line of code. Adding specific functions to prevent cheating would do absolutely nothing.
The reason Roblox, and every game on Roblox, has cheaters, and EVERY game on the market (Fortnite, Call of Duty, CS:GO, etc.) has cheaters despite having anti-exploit measures, is because cheaters will ALWAYS find a way to get around them.
Roblox is prioritizing protecting vulnerable young players from malicious game developers over exploiters because they know they cannot do anything much beyond what they already do. This is their choice and is ultimately the right decision.
Kernel anti cheats are always possible. (Just look at valorant)
Kernel anti-cheats are more effective, but still bypassable. Valorant, Fortnite, and other games with kernel-level solutions all still suffer from large amounts of cheaters. You aren’t going to get rid of it.