Long DisplayName's can cause immense lag, crash clients and break GUI

DrKittyWaffles · July 25, 2020, 8:02pm

Directly related to DisplayName being spoofable when the client starts.

If a player is to spoof their DisplayName property, they can abuse this to crash servers.

If the name is long enough, players who look at the attacker’s character will receive great performance drops, and will see all of the UI on their screen disappear. Sometimes an entire client can freeze, making the game absolutely unplayable.

This happens when the DisplayName property is extremely long, usually a round 100k characters.

Can be fixed by fixing replication of Player.DisplayName or adding a limit to the character length.

Moonvane · July 25, 2020, 9:47pm

try using in a server script

player:GetPropertyChangedSignal("DisplayName"):Connect(function()
     if player.DisplayName:len() > 100000 then
          player:Kick("Display name hacking")
     end
end)

DrKittyWaffles · July 26, 2020, 1:06am

I’m fully aware, but a developer shouldn’t have to fix this themselves.

Radiakk · July 26, 2020, 4:31am

Their DisplayName is changed before they connect to the server and your code runs, and they can just make their name 99,999 characters long to bypass your check. This is not effective.

Try this, but bare in mind it will kick players who change their DisplayName legitimately, perhaps run a check before they are kicked to make sure they aren’t mods or admins with :GetRankInGroup()

Also, this is correct. However developers can use the following code as a remedy while it’s being fixed:

game.Players.PlayerAdded:Connect(function(player)
    player.CharacterAdded:Connect(function(character)
        local hum = character:WaitForChild("Humanoid")
        if hum.DisplayName ~= player.Name then
            print(player.Name.." was kicked for nickname spoofing")
            player:Kick("Nickname spoofing detected")
        end
    end)
end)

StolenGeometry · July 26, 2020, 10:14am

This absolutely is a serious issue. Recently, there’s been a surplus of malicious players abusing this functionality to cause immense lag in my, and my fellow Roblox developers’ games.

Roblox’s incompetence must not come at the cost of us developers. It’s absolutely crazy to think that they somehow thought that the client should be trusted with their DisplayName, MembershipType, AccountAge, etc. Now, it is us developers that pay the price for the Roblox engineers’ incompetence.

Exploiters abusing this bug have been destroying the economy of a game I develop: taking advantage of the MembershipType trust to grant themselves Premium benefits with hundreds of duplicate accounts; these accounts do not even grant any additional Premium Payout. Along with lagging our servers, they have completely destroyed our clientele’s satisfaction with our game. Ever since this has happened to us, our game has been getting disliked much more often.

Roblox developers should not be the ones constantly shielding their own games against exploits that arise out of the incompetence of Roblox’s engineers. This exploit is out of our reach, mostly. (We can’t do much about it without getting actual players in the crossfire.)

In my desperation, I appeal to you, fellow Roblox engineers, that you please patch this as soon as possible. Our livelihoods depend on your actions, and how soon you all can act in response to cases like this.

My friends and I, depend on Roblox as our main source of income, and these meddling exploiters (the ones abusing this vulnerability) are causing us to lose out on income. At this point, we have to worry about how we can ration our money to last us till the end of next month.

We’d hate to starve over something like this, and I hope that, in your hearts, that you please take this bug much more seriously. This bug has existed for a long time, and only recently, has this bug been paid closer attention to; but, at the same time, this bug has been released publicly, and now, its detrimental effects are being felt much more greatly, everywhere.

LordHenryVonHenry · July 27, 2020, 8:22am

Not to mention these spoofed display names entirely bypass the filter. (Obviously this would be sensible if they were verified given how often “LordHenryVonHenry” seems to go between being filtered and not filtered over the years, but given they are not verified sooooo….)
All it’s going to take is someone screenshotting some of the more recent usernames to join a few of the games that I’ve seen and that will be another news story for Roblox to do nothing about.

Now I’m just curious whether these accounts with fake premium membership are also messing up premium payout data, surely tracking playtime for premium payouts is done back-end on the server, but if servers had a backend way of checking membership type that ignored the client, why isn’t that used generally? Given how easy it has been for botted games to reach front page lately, and how easy it would be for someone to do this and spoof all of those bots membership types, why Roblox don’t see this as a more serious problem is beyond me.

(Payouts part speculation based on educated guess of how premium payout stats are calculated, will update in a few days when know if there has been a recent spike in premium playtime at same games this has been a problem at.)

Edit
As someone posted on the other thread regarding this issue, it seems to be on the change log.

https://developer.roblox.com/en-us/resources/release-note/Release-Notes-for-440

buildthomas · July 27, 2020, 11:04am

Let’s tone down on the drama. It’s very hard to release software without bugs, this is not something unique to Roblox. This was reported 2 days ago in the weekend so Roblox will not yet have had a chance to look into it anyway.

Meta_data · July 27, 2020, 3:15pm

This was actually reported privately back in February 2019.

SaIamancas · July 27, 2020, 5:37pm

I can confirm this, this vulnerability was reported to the HackerOne roblox bounty program more than a full year ago. I don’t think Roblox expected it to be publicly released as I’d expect that they have a confidentiality agreement of some sorts for any bugs or serious vulnerabilities reported there.

Why this hasn’t been patched for such a long period of time is the real question.

MetatableIndex · July 31, 2020, 10:06pm

This.

This is a critical issue. Exploiters are literally abusing this to gain access to perks and items they shouldn’t, whether it be by spoofing the DisplayName (you could argue using Name is bad practice, but a lot of people actually do this), or the Membership Type to gain access to premium perks on games.

This is an extremely important issue that should be considered critical. Why isn’t this being looked into yet?

PeZsmistic · July 31, 2020, 10:10pm

I think it’s pretty foolish to assume that just because engineers have not replied to this topic that they are not working on the issue. All bug reports get seen.

Further, this is very related:

NachtHemd · July 31, 2020, 10:11pm

Membership is already patched. Displayname isn’t critical since it’s trivial for developers to reliably patch it themselves.

AbstractAlex · July 31, 2020, 10:12pm

It’s not the developer’s job to patch exploits like this, please don’t imply that’s why Roblox hasn’t addressed it.

DrKittyWaffles · August 1, 2020, 1:25pm

An addition to the topic:

DrKittyWaffles · August 1, 2020, 6:54pm

It seems so. I can’t reproduce it anymore. Will keep marked as solution, or if a staff member replies I’ll mark their post.

TheMagicalTabby · October 14, 2020, 7:03pm

Hi SwagMasterAndrew,
Yes it has been a while since this issue is resolved by Roblox. Please let us know if you or any other developer can reproduce the problem.
Thanks for your collaboration
TheMagicalTabby

system · October 25, 2022, 10:14pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.