How to patch exploit that fakes dev product purchases?

I’d say so but I’ve checked and unless it is a backdoor which I doubt I am quite puzzled with what it is, for now everything is all quiet so I’ll let you know if it happens again and what is what.

1 Like

Yeah definitely check every single script inside your game it is worth it trust me. You don’t want a backdoor sitting in your game

Also check your log-ins for any suspicious login activity on all of your accounts. You may have been hacked silently and didn’t even notice

1 Like

I have titan key on my account. I don’t think no one is breaking in anytime soon. And I usually do the login out of all session periodically just to be safe.

1 Like

Hi,

Developer of the original Wyvern (script kiddies have renamed it to “Wynerd”) script here, this script was supposed to be a script meant for the exploiting community to hunt vulnerabilities in games that offer free UGC items but keep the items behind a paywall. I made this script as a protest and fought for the idea “All FREE UGCs are supposed to be free! Not behind an absurd in-game task or a paywall!”

I wrote this script back in April of 2024, and this was meant to be used privately by a group of people who believed in the same idea, also known as “UGC Goblins.” However, this script was leaked by one of its users and as a result, my friend that goes by the alias “redblue” had to publish the script public.

You can fix the DevProduct exploit in your game by following the comments above my comment, simply just use ProcessReceipt instead of listening for when the PromptProductPurchaseFinished signal fires in the server.

This exploit works by calling a function that can only be called by CoreScripts, or any running threads with the identity of 3, 6, 7 or 8. It calls the MarketplaceService.SignalPromptProductPurchaseFinished function, which sends a packet to the server via RakNet to let the server know that a DevProduct purchase attempt was performed. In one of the arguments passed into the function, you can include true and get the event in the server to fire.

3 Likes

This is the solution so it really is what people thought it is and as far as what that person “dumbprogrammer69” just posted, no they are not special and they just admitted to breaking TOS so flag their message and just read the post I am sending since it contains important information about this issue

So with that in mind regardless of why it was made because that is just now history and some would say has its noble beginnings how would I go about ensuring this attack doesn’t work, either by patching it or by other means.

1 Like

You ensure it doesn’t work by not using it to handle purchases on the server. You should read the post I just sent here because it explains what you can use instead. I have a picture proving it is not safe for processing purchases.
Unsafe

Thread safety is not related to this topic. A signal or function with an unsafe thread safety simply means you can’t use it in Parallel Luau.

PromptProductPurchaseFinished is so UIs that pop up with “Processing Purchase” etc. know that that the prompt is closed, I dont know how many times I need to say

Do not use it to handle purchases.

it was deprecated for the longest time for this exact purpose, you should be using ProcessReciept for any server logic that relies on handling the purchase itself.

I dont care if the API is harder than a simpler event, its done this way intentionally.

2 Likes

You would be surprised to know that more than 1% of Roblox games with DevProducts are vulnerable to this type of vulnerability.

I am not surprised people are using this event to handle purchases because they dont want to learn what a callback is. I assume the reason is that other prompts are handled through the event (and you should still check they own the item within the check)

1 Like

So just incase anyone is wondering I only use PurchaseReceipt and that was at once only once I had problems with, could be a fluke or was slightly improperly configured but was somehow spoofed. As of current yet to see them break it again but if it happens I’ll be sure to let you know with all my findings.

1 Like

Could you provide the script that you’re using to handle purchases? It could be improperly configured, or another vulnerability has been discovered that allowed the client to spoof a successful DevProduct purchase that even works for PurchaseReceipt callbacks. Such vulnerability would have so much impact that I bet anyone who discovers it would just report it to Roblox’s HackerOne and get more than 10K USD as a reward as well as a pat on the back.

1 Like

That is the thing that is unclear, I guess time will only tell. I’ve setup a lot of debugging to triple-check if that ever occurs so if it really can do that I’ll be sure to let everyone know including roblox. I’ve already provided above the script with only minor changes on my mind.

1 Like

Exploiters can fire SignalPromptGamePassPurchaseFinished with the isPurchased parameter as true anytime, so make checks to see if they already received their reward with PromptGamePassPurchaseFinished.

It’s honestly not even that hard.

People are just not bothered:

  • to read docs FIRST
  • to learn what a callback is
  • -in general.

In all brutal honesty, if someone can’t be bothered to write good and sound code that involves the real-world money of players, it’s a shame on them.

This is a serious matter.
You can’t get complacent when you’re writing code that involves actual cash of your players.

Let this be a lesson.
You lads seriously just let an exploiter school you.

And it’s crazy that my solution took 6 months to blow up.
Imagine the damages between those 6 months - and the period before I even posted it.

Nah. The real shame is the lack of good teaching. I’m 100% self taught in Lua and I didn’t learn it from “reading docs”… I learned it from taking people’s existing scripts on some shady websites(we do a little slim shady :joy: ) and editing them to see what they do and I did this for many months until I eventually started to understand all of it. I don’t care what people think. Being honest, the only reason that dude was able to school everyone is because that’s the only good way to learn code anyway :joy_cat: The rabbit has to come out of the hat eventually :wink:

1 Like

Oh yeah and if you think it’s some coincidence that Roblox hired literal exploiters aka the creators of Synapse to join their team… trust me, it’s not a coincidence :joy: they know how people learn to become so good at coding. They aren’t dumb. That’s just the problem. They’re smart. It saves them time and money to not teach people anything and force them to figure it out all on their own…

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.