I am sure a lot of you guys have used free models in the past for a multitude of reasons, maybe because you don’t have a modeler, or for a showcase. Regardless of this, free models and even plugins can be dangerous sometimes.
Why is that? Well, when uploading a model to Roblox, the creator of the model can add a script to it. Now upon adding the model, the scripts with it will come along. Hopefully, you can see what I am getting too. Users with malicious intent normally create alt accounts to create virus plugins/free models.
Inadequate removal of a malicious free-model/plugin virus script can result in a backdoor directly to your game. This allows exploiters to take control of the server and execute commands that could possibly nuke or destroy your entire game.
How to stay safe from free model scripts:
- Check for any local / server scripts within your free model and delete them.
- If you import a free model, check if a prompt that alerts you that the model will inject scripts into the game shows up.
- Do the following steps:
- Start by opening the View Tab and enabling Find All / Replace All
- You will then see a window looking like this-
- Type the following keywords (individually) into the Find box:
env
require
If you see a result, it is possible your game is insecure. Just keep in mind free model scripts can ONLY come in the model and don’t automatically add themselves to server script service. However, the next topic contains a more malicious sort of virus within ROBLOX, plugin viruses!
Plugin Viruses are usually obtained by installing a malicious plugin that has permission to add scripts or whatever it wants into your game. Plugin viruses are much harder to uncover rather than free models, and take a bit of time to do so.
You can find out what plugin is causing this by investigating each one of your plugins and seeing who the creator is and like ratio. If the creator of the plugin is something related to plugin development like “Plugins4You” or “PluginCreator” or “PluginBuilder”, that should be a red flag. Keep in mind that you should always pay attention to the number of likes rather than favorites because favorites can be booted while likes require you to verify your account in order to like a post.
Another thing is if the plugin asks for permission to access your game. Thankfully, Roblox has recently added a feature in which developers can decide whether they would like to let a plugin access their game. Although some plugins require this feature, some may be obvious viruses. Ultimately, get plugins from creators you trust and by searching them on Google rather than the Roblox library.
Hopefully, this guide helped a lot of y’all out there, especially the new developers. I distinctly remember back in my first project when backdoors were being added to my game and I did not know what to do.