How do I prevent hackers from exploiting my chat?

BackspaceRGB · August 9, 2020, 8:44pm

So I recently made a custom chat Gui, but I realised that I use a RemoteEvent to display chat messages, which means exploiters can impersonate someone or give themselves chat tags.

How could I prevent this?
Not sure if this is important, but here are the things needed for the message to be displayed:
sender (the player who fired the remoteEvent), playerName (the name that displays on the chat message, read more to see why), senderMessage (the message a player sent in chat), tags (a table of tags displayed on the chat message), isPlayerReal (a bool to specify if the player that sends the message is actually real, so you could do system messages, etc), sendPlayers (a table of players that can see the message)

After the remoteEvent gets fired, it then removes whitespace, filters the message and fires itself to the clients specified in the sendPlayers table
The clients recieve all the data and display the message in chat

How do I prevent exploiters from impersonating someone, and make this whole system safe?

sjr04 · August 9, 2020, 8:46pm

How are they impersonating someone in the first place?

Oh wait

You are trusting the client, don’t do this. Get the name from the server.

NeonD00m · August 9, 2020, 8:47pm

if you are using a RemoteEvent you don’t need to send the playerName as an argument because the first parameter on the server us the player instance which you can get the name from. You probably made other security mistakes similar to that. You should probably check the article on Remote Events on the Developer Hub.

GladlyAshley · August 9, 2020, 8:48pm

Don’t check this information on the client side make sure you check it on the server side via scripts and not local scripts or they can exploit a way around the checks by firing it themselves.

BackspaceRGB · August 9, 2020, 8:49pm

But then how would I be able to make system messages?

EDIT: Actually, nevermind. If I send the system message via serverScript then I can just chenge the player name

GladlyAshley · August 9, 2020, 8:51pm

The server will fire server messages so there shouldn’t need to be those type of checks as you don’t need to use a remote event for when it comes in right?

xeavz · August 9, 2020, 8:51pm

playerName shouldn’t be being used if the sender is already known, you should probably make it so that playerName can be fetched from the sender through some server-sided value if it differs from the senders actual name (which is why I assume you’re passing it). System messages can also be sent from the server, using :FireAllClients() and having an event retrieve it on the client.

BackspaceRGB · August 9, 2020, 9:02pm

So I came to the conclusion:
Completly ditch playerName, and just do sender.Name on the server
Store the tags in a folder inside the player object, and again, check it on the server

The only damage exploiters can do now is that they can change the message they send, which isnt harmful at all since it gets filtered anyway
They can change what players see the message, which isnt really a big deal