I was just wondering… Is it possible for an exploiter to change the player value that is returned in RemoteEvent.OnServerEvent() and RemoteFunction.OnServerInvoke()? Because a lot of my anti-exploit measures rely on the player value being returned is indeed the player that is firing the remote.
2 Likes
OnServerEvent - Nope.
OnClientEvent - Something like this did exist, but I’m pretty sure It’s patched.
1 Like
Player can be nil on the server, but as far as I’m aware there isn’t an exploit to change to another player.
Edit: This is not the case anymore.
The server will know what connection the request came from. It is not possible to fake a request. You would have to spoof the ip along with the correct packet.
1 Like
If I am correct, Exploits can change values sent to the server and see values sent to the client.
I have seen some users do this before, but it was roughly 4 months ago and I am not 100% sure if they still can change values. (Never seen anyone edit the player value for RemoteEvents etc just the values I send)
So an exploiter could anonymize the request in a way that would prevent the server from determining who sent it?
I’m testing it right now and it seems like the request was ignored, I’ll keep looking unless someone can confirm this was patched.
I can’t reproduce this anymore, the way it used to work is if an exploiter parented a remote to nil before firing to it, the player argument would be nil. Not sure when they fixed this. Tested this in accurate play solo, start server, and online.
2 Likes
Exploiters can change any arguments except for the Player argument. The server has an explicit check to verify that the Player argument matches the client the event comes from.
5 Likes
As @gskw said, client can modify any argument when firing remote, but also anything that invoke returns. You shouldn’t rely on client having correct data too much, always add checks on server.
2 Likes
From these replies it seems like you can’t. Thanks!
1 Like