[HWID] Banning Users

Bump. This would be a useful feature, here’s a better way to implement:

string Player.IdentifierHash [readonly] [notreplicated]
Roblox GUID identifier for the player's IP (handled by backend server)

Instead of giving a hashed version of the player’s IP to the client (this would literally take seconds to crack assuming it was IPv4), run the player’s IP through a database of IPs and matching GUIDs on the backend (property would be accessible only by serverscripts), and then give them the matching GUID (or create one if the IP is new). Simple! The game developers have no way of getting their REAL IP, only a unique identifier for them.

“fix your scripts to not be exploitable” is not a valid reply for a feature like this.
“this isn’t a foolproof solution, they can just use a VPN!” There’s only 4 billion IPv4 addresses out there, and I doubt an exploiter has access to even 0.0000011641532182693481% percent of those 4 billion IPs. They will run out eventually.

A huge majority of the exploiters we ban in Phantom Forces are repeat offenders using alts or completely blank (stolen?) accounts. We have no defense against them – we patch an exploit, two more get found. It takes 5 seconds to make an account, and hours for us to work on patches/automatic exploit detections. Adding something like this would be extremely useful.

19 Likes

You’re mistaken. We are unable to (and probably would never be able to) access client’s IPs (neither have we been able to in the past).

1 Like

This has significant privacy concerns.

1
2

Why should an owner of an experience have access to your HWID? Something feels wrong about handing out HWIDs to anyone.

FWIW it’s trivial to hash the HWID to something anonymous, not that HWID is a privacy concern.

That’s much easier to bypass. There’s no place on your computer you can’t access and finding which directories/registries a program reads/writes to is a trivial task.

There’s methods of finding alts, however none involves IPs or HWIDs. Another popular game studio was able to find alts using Discord → Roblox verification bots.

Anything that slows down exploiters is not futile. Exploits DO use HWID to determine the user of the exploit, and to make sure multiple people aren’t using one account for any given menu.

It’s not really safe, in fact exploiters can change it easily.
It would just cause problems because someone could just access your HDWI and get you banned, in my opinion it’s not a good idea.

People cannot access your HWID unless you download something to let someone access it.

I mean, if roblox added this feature it would be pretty easy to get it by making the victim join in a roblox game.

“HWID” is not a built in feature of computers. This is usually just some value calculated by doing an operation (like hashing) on the serial numbers or other information of the installed hardware. It’s a concept rather than an universal value.

Exploits compute a HWID to identify because it’s good for whitelists, and because it’s not beneficial to try to mess with it if you’re already whitelisted. On the other hand, it’s terrible for blacklists, because it’s extremely easy to hook and spoof the code that retrieves the information from the hardware and randomize it or whatever. In fact, exploits already do this to avoid fingerprinting.

4 Likes

A ROBLOX Anti-Cheat claiming to be able to do HWID Bans? could be the solution to your problem

It’s not - the detection method here is a very basic and easily bypassable one. You literally just need to restart your PC, or overwrite the os.clock method.

raphtalia/RbxFingerprint: Demonstration of a privacy vulnerability in Roblox (github.com)

why did you send a github link? i dont use that

It’s a relevant link (aka a reference) which backs up my point that the detection method is easy to bypass. It’s up to you what links or websites you click.

1 Like

refrences can be done using Markdown for code…

I’m not going to derail the topic by discussing this further with you.

If you don’t want to read the reference I provided, I’m not compelling you to do so. I don’t see the need to embed a page when I can link the relevant repository instead. My point stands that the RoGuard Anti-Cheat will not help the poster of this thread with their issue in any way.

Definitely so, but still good for an average kid

welll what if someone gets hacked and banned cuz my old acount got hacked and then terminated so if they add this feature i’ll probably get banned