Need help stopping chat system RemoteEvent spam exploit

It would be possible by doing a simple for loop check in the players service. Here’s a quick mockup I wrote that could solve your issue:

--Script is server-sided

local Players = game:GetService("Players")

local TextLimit = 500

function PlayerChat(Player)
	Player.Chatted:Connect(function(Message)
		if #Message > TextLimit then
			Player:Kick("Your chat message is over the limit.")
		end
	end)
end

You just have to add the rest.

1 Like

Well without any further information, all I can say is check the folder it’s created in for scripts named x. If it’s found, then destroy it.

Alternatively, use on child added to check if something was added to the folder.

This would be if the code would run first or not.

Don’t forget to mark me as helpful I was in any way… :slight_smile:

I will look into this, thank you!

1 Like

I am reporting this instantly, thank you so much!

I’d just like to point out that kicking players is bad for user experience. It’s also a bad practice to patch exploits with band-aids. The best way to prevent exploits is attacking the source which is the system that fails to check for messages that are way over the chat text limit or how many chats that can be sent per minute.

Yes, but that doesn’t stop an exploiter from placing a new script in the same location with a new function.

If an injector is placing in scripts, that’s what needs to be stopped.

How did you even find that script in a server environment? I’d like to know more about securing my game, Eacrivion.

Roblox does stop them, but there is always a workaround. Its been this way for years.
You can’t prevent it entirely only temporarily. They’ve gone far enough to simulate the Roblox environment to get the API working.

No and sort of. You can use server and client preventative measures to detect if some behavior you don’t want is occurring or some unknown object enters the environment.

You know, an idea would be to have an internal function that checks to see if a script existed initially or not. You can’t script at runtime anyway. So if there’s a new script (asset id doesn’t exist) just remove it.

I’m sure there are a variety of injections, but this would solve this one.

Each asset must have a unique id I’m sure…?

I only gave him a base of what he could do. He could go for the remote and make an OnServerEvent function that checks if the message is over a certain length. I understand kicking is bad, but it’s one of the only options that he could do aside from deleting the message (which from what i understand might require some scripting).

Developers cannot stop exploiters from injecting scripts into their machine. It’s beyond what we can do. If you insert a script with a nil parent, there’s no way to detect this with ChildAdded or any API event. Exploiters can also insert scripts/objects into RobloxLocked containers that developers can no longer detect. The most we can do is try to stop what these scripts are trying to execute.

It’s a very old security flaw that engineers at roblox are trying to patch and until now, there seems to be ways around their patches.

If that’s the case then what is the point of making games? If I kick someone or I have a script that kicks someone, it’s so they have a bad user experience. Even if I just wait for a patch, it will get fixed, i’d rather tarnish my games experience as it’s for a once a week thing for a very certain experience then wait for a patch.

Keep in mind it is not normally possible to ‘Inject’ scripts into a ROBLOX Server instance and have it execute server-side. Furthermore, :FireServer() is not available on the server.

1 Like

If you found this in a toolbox model,There’s usually more ,Just search up “Script” in your Workspace or whatever,And it’ll show all the scripts in the game, Usually named "inject " ,“anti-lag”,“anti-exploit”,etc. just right click and delete it.

1 Like

I am aware of this. I was asking because if this script was on the server, he could have a malicious plugin that injected the script in studio.

If the script was on the server, then I don’t think it would be possible to “sends a lag storm”. This is because the script would not be able to run and an error would be displayed, as FireServer() is a client only method.

This seems like an issue on Roblox’s part. It’s spamming a default remote event made by Roblox’s builtin chat system which gets spammed to have a user repeatedly say a phrase. I recommend you learn how to make custom modules with Roblox’s chat system and make a custom module to prevent spam or find one. From what I know Roblox does already prevent spam though?

1 Like

Why can’t we just have nil parents no longer be a thing?

I mean, if it doesn’t have a parent, wouldn’t it not exist?

that is not possible unless you use a custom chat system that does not use remoteevents.

the client chatbox sends a request to the server asking it to post that message using that remoteevent.
and then this is considered a problem in the backend.

1 Like

Yes, but a remote event is required to send from client to server or visa versa.

Would be like trying to call someone without a phone.