Despite Roblox’s announcement that PromptPurchase has been disabled on the client for UGC items (as referenced in PromptPurchase callable on client?), there remains a vulnerability allowing users to purchase limited UGC items through client-side scripts.
I recently uploaded a limited UGC asset that was immediately purchased by multiple users exploiting this vulnerability. The issue appears similar to the one described in this post: Prompt UGC Limited Purchase through client? [URGENT]
Steps to reproduce:
Upload a limited UGC item to the catalog
Users can still execute client-side scripts using MarketplaceService to bypass intended purchase limitations
This allows exploiters to potentially purchase all copies of limited items before legitimate users have a chance
This vulnerability undermines the integrity of limited UGC releases and affects creator revenue potential.
Expected behavior
I expect that all UGC purchase functionality should be properly server-side only, with no client-side purchase capabilities for limited UGC items.
A private message is associated with this bug report
