Name Spoofing Patch

Resources Community Resources
,
#7

You can use another function that was provided by the PlayerService.
GetUserIdFromNameAsync and GetNameFromUserIdAsync
Example

game.Players.PlayerAdded:Connect(function(Player) 
    local RealName = game.Players:GetNameFromUserIdAsync(Player.Name)
    local RealId = game.Players:GetUserIdFromNameAsync(Player.UserId)
    if Player.Name ~= RealName then return Player:Kick('ping spoofing') end
    if Player.UserId ~= RealId then return Player:Kick('ping spoofing') end
end)
1 Like
#8

But exploits can’t inject in to the game so fast.

#9

The exploit isn’t done with any injection exploit such as Synapse. You can modify these values in Cheat Engine or via Fiddler (which the public leaked method uses) to edit the information sent in the JoinData.

This data is set before the client even has joined the game.

1 Like
#10

I was told using those functions they just returned the spoofed values, I assumed from that they just check for the player instance in-game and grab the values from that instance but i’m not sure, this may also work.

2 Likes
#11

Hah, that’s why I had someone called “John Doe” in my game.

5 Likes
#12

This reply in another topic makes it sound like this doesn’t work—it just gives the exploiter’s UID—but based on others in the thread it should be patched soon. Hopefully the testing process is fast enough that it’ll be live soon.

3 Likes
#13

Doesn’t look bad and easy to make lol but thank you very much

#14

And that is a damn problem already

#15

i feel like this is too much code for just one thing,
this can be accomplished like this in only a few lines

local HttpService = game:GetService("HttpService")

game:GetService("Players").PlayerAdded:Connect(function(plr)
	local success, data = pcall(function()
		return HttpService:JSONDecode(HttpService:GetAsync("https://api.rprxy.xyz/users/"..plr.UserId)).Username
	end)
	if plr.Name ~= data then
		plr:Kick("Invalid Name")
	end
end)
#16

If the player is in game then yes it will return the spoofed value, it’ll only return the correct value if the player isnt in game.

#18

That would kick every player as it’s comparing player.Name to a table, for instance:

{"description":"There's peace in solitude.","created":"2009-08-20T17:41:27.387Z","isBanned":false,"id":4225178,"name":"Rdite","displayName":"Rdite"}

Additionally if the request just fails it will also kick the player if they weren’t already kicked by the fact that it’s comparing a table to a string.

#19

Actually it takes the username index if you scroll on a little more
image

But it seems roblox just did a patch anyways, don’t know how long it’ll last if it does.

1 Like
#21

Apologies, I am blind and stupid.

#22

No no, don’t call yourself stupid lol

2 Likes
#23

Hopefully this patch will be the final and only one needed, from what I’ve heard this has been known since 2019, but only recently surfaced.

#24

Its patched as the new signature has been rolled out according to the FFlag watcher. https://fflag.eryn.io/history/PCDesktopClient/DFFlagTestFullSig42

#25

The rprxy.xyz site is quite neat.

#26

This is a network vulneurability and not a traditional exploit. It’s done by modifying the information that is sent from the client to the server before the client loads in, therefore things like playeradded will fire after the info has already been spoofed

#27

A roblox staff just said name spoofing was patched now. (Well for DisplayName)

#28

Username spoofing was patched aswell.

1 Like