I’m being told that hackers can trick the server into thinking they have a different userid and therefore access some of my cheat / admin / debug stuff.
I just can’t believe it’s possible, I can’t imagine that replicating to the server, and I’d have a lot bigger problems than speed hackers and noclippers if they did, but the person telling me is pretty insistent, so I’m double checking.
5 Likes
I’ve never heard of that being possible, I don’t see how it could be, and I don’t believe that it is. If it were then people would be spoofing each other in popular games and messing with other players’ saved data.
13 Likes
Perhaps they were tweaking the user ID locally, only, and their victim had used the the userID for some security check in a local script?
I too haven’t heard of such an exploit, but I’ll admit I’m never up to date on exploits. This one doesn’t seem the most likely, though.
8 Likes
I strongly doubt that this is possible. Plus if it is, the client will have to bypass the ‘The current identity (#) cannot set a Player’s ID (lacking permission 4)’. Error message that appears whenever a script tries to set a player’s UserId.
As Permission 4 is any script authored by Roblox. This is virtually impossible.
If they somehow managed to do so, as it won’t replicate to the server. It really should not cause too much harm if the server handles all Data/Admin/Debug things.
5 Likes
Due to the nature of the Identities not being really secure in anyway, other than a message that blocks developers, exploiters can locally change their UserId to wreak havoc on games that might not be maintained anymore, or games that have bad coding practices.
3 Likes
Locally, yes. On the server, no.
22 Likes
There used to be an exploit that can be done to trick the server to thinking a RemoteEvent was being called by someone else, but it was patched several years ago. No cases to my knowledge of attackers changing user ids on the server.
3 Likes
I’m almost certain that’d be impossible, as far as I know exploits only affect the user’s client and not the server. So yes, they may be able to trick localscripts into seeing a different userid, but not server scripts.
At the very least, it used to be possible with something as simple as Cheat Engine when games weren’t using FilteringEnabled, but alas that was long ago. Exploiters, like Kampf said, can only change it locally, so truthfully there isn’t much to worry about in this isle.
I’m surprised that the UserId property hasn’t been switched to read-only at this point. It has a hard coded check to make sure it can only be written to in an elevated thread, and this was used when game joining was previously handled in Lua.
Since this is all handled in C++ now (and the Player is generated by the server), I think the property should just get marked as read-only in Lua. It could never be written to by developers anyway.
7 Likes
I guess, but it doesn’t really matter. Exploits can override the read only check.
6 Likes
It’s not possible, however as others have pointed out you can modify ANYTHING on the client so you always have to make sure to create server checks. If people are hacking into your admin console, you might want to replicate the admin gui from the server to the client only if the server detects the player is an admin. You also might want to verify on the server the player is an admin every time they run a command.
2 Likes
Well, I’ve never heard of such an exploit, and like @Kampfkarren said it doesn’t matter to be honest, Exploits can override the read only check, so I’d assume it’s impossible, they’d probably be able to trick local scripts, but not server scripts. Good luck!