Only other thing I can think is someone got access to an rbxl file of the game where they could see absolutely everything inside of it. I’ve seen it done before. Scary stuff

Both of them are under ServerScriptService and are by all means secure, my working theory still revolves around spoofing MarketplaceService somehow to make it appear as if a successful purchase was done when in reality it was not. However I have made changes already to Procress Receipt and now have double checked to ensure it is just like the roblox example so now we play waiting game, I also put up a lot of debugging to ensure stuff don’t happen,

Edit: Speaking of which this just happened and now I’m more puzzled than ever

image821×109 16 KB

This error is occurring because you are using a player object instead of their user id. Change the player object to the user id.

if MarketplaceService:UserOwnsGamePassAsync(player.UserId, gamepassID) then

Oh yeah shoot my bad there. I just realized my mistake

As far as the rest of what you said goes, exploiters just don’t think that far into this. I suspect it being related to the developer account being hacked/rbxl file being stolen/a hidden virus inside the game that allows an exploiter to require a module from their client and give themselves free stuff. There’s been plenty of stolen games floating around Roblox for quite awhile now. That in itself is a huge threat to Roblox security and Roblox still cannot do enough to prevent it

I’d say so but I’ve checked and unless it is a backdoor which I doubt I am quite puzzled with what it is, for now everything is all quiet so I’ll let you know if it happens again and what is what.

Yeah definitely check every single script inside your game it is worth it trust me. You don’t want a backdoor sitting in your game

Also check your log-ins for any suspicious login activity on all of your accounts. You may have been hacked silently and didn’t even notice

I have titan key on my account. I don’t think no one is breaking in anytime soon. And I usually do the login out of all session periodically just to be safe.

Hi,

Developer of the original Wyvern (script kiddies have renamed it to “Wynerd”) script here, this script was supposed to be a script meant for the exploiting community to hunt vulnerabilities in games that offer free UGC items but keep the items behind a paywall. I made this script as a protest and fought for the idea “All FREE UGCs are supposed to be free! Not behind an absurd in-game task or a paywall!”

I wrote this script back in April of 2024, and this was meant to be used privately by a group of people who believed in the same idea, also known as “UGC Goblins.” However, this script was leaked by one of its users and as a result, my friend that goes by the alias “redblue” had to publish the script public.

You can fix the DevProduct exploit in your game by following the comments above my comment, simply just use ProcessReceipt instead of listening for when the PromptProductPurchaseFinished signal fires in the server.

This exploit works by calling a function that can only be called by CoreScripts, or any running threads with the identity of 3, 6, 7 or 8. It calls the MarketplaceService.SignalPromptProductPurchaseFinished function, which sends a packet to the server via RakNet to let the server know that a DevProduct purchase attempt was performed. In one of the arguments passed into the function, you can include true and get the event in the server to fire.

This is the solution so it really is what people thought it is and as far as what that person “dumbprogrammer69” just posted, no they are not special and they just admitted to breaking TOS so flag their message and just read the post I am sending since it contains important information about this issue

So with that in mind regardless of why it was made because that is just now history and some would say has its noble beginnings how would I go about ensuring this attack doesn’t work, either by patching it or by other means.

You ensure it doesn’t work by not using it to handle purchases on the server. You should read the post I just sent here because it explains what you can use instead. I have a picture proving it is not safe for processing purchases.

Thread safety is not related to this topic. A signal or function with an unsafe thread safety simply means you can’t use it in Parallel Luau.

PromptProductPurchaseFinished is so UIs that pop up with “Processing Purchase” etc. know that that the prompt is closed, I dont know how many times I need to say

Do not use it to handle purchases.

it was deprecated for the longest time for this exact purpose, you should be using ProcessReciept for any server logic that relies on handling the purchase itself.

I dont care if the API is harder than a simpler event, its done this way intentionally.

You would be surprised to know that more than 1% of Roblox games with DevProducts are vulnerable to this type of vulnerability.

I am not surprised people are using this event to handle purchases because they dont want to learn what a callback is. I assume the reason is that other prompts are handled through the event (and you should still check they own the item within the check)

So just incase anyone is wondering I only use PurchaseReceipt and that was at once only once I had problems with, could be a fluke or was slightly improperly configured but was somehow spoofed. As of current yet to see them break it again but if it happens I’ll be sure to let you know with all my findings.

Could you provide the script that you’re using to handle purchases? It could be improperly configured, or another vulnerability has been discovered that allowed the client to spoof a successful DevProduct purchase that even works for PurchaseReceipt callbacks. Such vulnerability would have so much impact that I bet anyone who discovers it would just report it to Roblox’s HackerOne and get more than 10K USD as a reward as well as a pat on the back.

That is the thing that is unclear, I guess time will only tell. I’ve setup a lot of debugging to triple-check if that ever occurs so if it really can do that I’ll be sure to let everyone know including roblox. I’ve already provided above the script with only minor changes on my mind.