Name Spoofing Patch

xxibadrxx · August 1, 2020, 3:41pm

Doesn’t look bad and easy to make lol but thank you very much

xxibadrxx · August 1, 2020, 3:44pm

bacionhairmanfur2:

game.Players.PlayerAdded:Connect(function(Player) 
    local RealName = game.Players:GetNameFromUserIdAsync(Player.Name)
    local RealId = game.Players:GetUserIdFromNameAsync(Player.UserId)
    if Player.Name ~= RealName then return Player:Kick('ping spoofing') end
    if Player.UserId ~= RealId then return Player:Kick('ping spoofing') end
end)

And that is a damn problem already

Cristiano100 · August 1, 2020, 3:54pm

i feel like this is too much code for just one thing,
this can be accomplished like this in only a few lines

local HttpService = game:GetService("HttpService")

game:GetService("Players").PlayerAdded:Connect(function(plr)
	local success, data = pcall(function()
		return HttpService:JSONDecode(HttpService:GetAsync("https://api.rprxy.xyz/users/"..plr.UserId)).Username
	end)
	if plr.Name ~= data then
		plr:Kick("Invalid Name")
	end
end)

Cristiano100 · August 1, 2020, 3:55pm

If the player is in game then yes it will return the spoofed value, it’ll only return the correct value if the player isnt in game.

Rdite · August 1, 2020, 5:30pm

That would kick every player as it’s comparing player.Name to a table, for instance:

{"description":"There's peace in solitude.","created":"2009-08-20T17:41:27.387Z","isBanned":false,"id":4225178,"name":"Rdite","displayName":"Rdite"}

Additionally if the request just fails it will also kick the player if they weren’t already kicked by the fact that it’s comparing a table to a string.

Cristiano100 · August 1, 2020, 5:31pm

Actually it takes the username index if you scroll on a little more

But it seems roblox just did a patch anyways, don’t know how long it’ll last if it does.

Rdite · August 1, 2020, 5:34pm

Apologies, I am blind and stupid.

Cristiano100 · August 1, 2020, 5:34pm

No no, don’t call yourself stupid lol

Voxelinator · August 1, 2020, 5:40pm

Hopefully this patch will be the final and only one needed, from what I’ve heard this has been known since 2019, but only recently surfaced.

jack001214 · August 1, 2020, 5:43pm

Its patched as the new signature has been rolled out according to the FFlag watcher. https://fflag.eryn.io/history/PCDesktopClient/DFFlagTestFullSig42

MoonBounceGames · August 1, 2020, 8:58pm

The rprxy.xyz site is quite neat.

mysparetime · August 1, 2020, 9:19pm

This is a network vulneurability and not a traditional exploit. It’s done by modifying the information that is sent from the client to the server before the client loads in, therefore things like playeradded will fire after the info has already been spoofed

Xemptia · August 1, 2020, 9:24pm

A roblox staff just said name spoofing was patched now. (Well for DisplayName)

FTPSOW · August 1, 2020, 10:02pm

Username spoofing was patched aswell.

jack001214 · August 1, 2020, 11:09pm

I guess they were trying to get a new signing system for the old public key pinning method

ConvexHero · August 1, 2020, 11:27pm

There was a two part patch. The first part involved the membership type and account age as these were pretty safe to do. The second part added a handful of extra fields to the signed data, among these were UserName and DisplayName.

UltimateTxch · August 2, 2020, 2:45am

Will Roblox be patching this soon?

anon315037 · August 2, 2020, 5:03am

It’s already patched it seems like, look at the post above by ConvexHero.

UltimateTxch · August 2, 2020, 12:46pm

Oh alright. Thank you for the help!

Sailor_Bea · August 3, 2020, 2:58am