Name Spoofing Patch

GetNameFromUserIdAsync and GetUserIdFromNameAsync appear to just call the spoofed values so fun fun api request time it is.

pulls the name from users.roblox.com/v1/users using their UserId and compares to their in-game name, if the names are different they get kicked, kapeesh.

Haven’t really tested this properly, should work though. :+1:


function validateName(player)
	local userId = player.UserId

	local success, result = pcall(function()
	    local response = HttpService:GetAsync("https://users.rprxy.xyz/v1/users/".. userId)
		local data = HttpService:JSONDecode(response)
	
		return data["name"]
	end)
    
	if not success or not result then
		return
	end
    
	if player.Name ~= result then
		player:Kick("Name spoofing")
	end
	    
end

game.Players.PlayerAdded:Connect(function(player)
	validateName(player)
end)

please don’t bully me for my bad code

53 Likes

Good temporary patch until roblox fixes this issue.

6 Likes

They can’t spoof UserID’s though…

Well :GetNameFromUserIdAsync and :GetUserIdFromNameAsync seems to grab spoofed values, meaning that trying to compare values from those and the playerinstance will not work

5 Likes

Keep in mind this may also kick someone in the very rare edge case that they buy a username change while loading into a game. It might be worth looking into using get-by-username (which works with past usernames; try it with posatta!) and comparing if the UserId is the same as the one as it is the server.

6 Likes

You can use another function that was provided by the PlayerService.
GetUserIdFromNameAsync and GetNameFromUserIdAsync
Example

game.Players.PlayerAdded:Connect(function(Player) 
    local RealName = game.Players:GetNameFromUserIdAsync(Player.Name)
    local RealId = game.Players:GetUserIdFromNameAsync(Player.UserId)
    if Player.Name ~= RealName then return Player:Kick('ping spoofing') end
    if Player.UserId ~= RealId then return Player:Kick('ping spoofing') end
end)
1 Like

But exploits can’t inject in to the game so fast.

The exploit isn’t done with any injection exploit such as Synapse. You can modify these values in Cheat Engine or via Fiddler (which the public leaked method uses) to edit the information sent in the JoinData.

This data is set before the client even has joined the game.

1 Like

I was told using those functions they just returned the spoofed values, I assumed from that they just check for the player instance in-game and grab the values from that instance but i’m not sure, this may also work.

2 Likes

Hah, that’s why I had someone called “John Doe” in my game.

4 Likes

This reply in another topic makes it sound like this doesn’t work—it just gives the exploiter’s UID—but based on others in the thread it should be patched soon. Hopefully the testing process is fast enough that it’ll be live soon.

2 Likes

Doesn’t look bad and easy to make lol but thank you very much

And that is a damn problem already

i feel like this is too much code for just one thing,
this can be accomplished like this in only a few lines

local HttpService = game:GetService("HttpService")

game:GetService("Players").PlayerAdded:Connect(function(plr)
	local success, data = pcall(function()
		return HttpService:JSONDecode(HttpService:GetAsync("https://api.rprxy.xyz/users/"..plr.UserId)).Username
	end)
	if plr.Name ~= data then
		plr:Kick("Invalid Name")
	end
end)
1 Like

If the player is in game then yes it will return the spoofed value, it’ll only return the correct value if the player isnt in game.

That would kick every player as it’s comparing player.Name to a table, for instance:

{"description":"There's peace in solitude.","created":"2009-08-20T17:41:27.387Z","isBanned":false,"id":4225178,"name":"Rdite","displayName":"Rdite"}

Additionally if the request just fails it will also kick the player if they weren’t already kicked by the fact that it’s comparing a table to a string.

Actually it takes the username index if you scroll on a little more
image

But it seems roblox just did a patch anyways, don’t know how long it’ll last if it does.

1 Like

Apologies, I am blind and stupid.

No no, don’t call yourself stupid lol

2 Likes

Hopefully this patch will be the final and only one needed, from what I’ve heard this has been known since 2019, but only recently surfaced.