Recently, I’ve been thinking of ways to prevent hackers from exploiting remote events. I came up with the idea to add passwords to remote events so hackers can’t just enter the parameters of the event and execute a random server function.
Example
Client:
local Event1Password = "6345342345557465!!!?????///erfdwerf"
Event1:FireServer(Parameter, Parameter, Event1Password)
Server:
local Event1Password = "6345342345557465!!!?????///erfdwerf"
Event1:OnServerEvent:Connect(Function(Parameter, Parameter, Password)
if Password == Event1Password then
-- Blah Blah Blah
end
end)
Is this a good idea? Is there anything else that would would similarly? Please let me know
Anything on the client can be taken. Models, scripts, etc.
The only way I can think of doing something like this is a randomly generated cryptographic signature that updates every time the remote is fired (or is generated based on a date time) and has validation on the server and then heavily obfuscated local script code. The problem is security through obfuscation like this still doesn’t work it just makes it a little bit more annoying to reverse engineer. If you put garbage functions that don’t do anything and obfuscate that along side it, eventually it’d be really difficult to tell how the cryptographic signature is generated and how the event is fired, but it’s still not a perfect solution at all.
I have heard of games using passwords with remotes before, however from what I gather the passwords don’t change on their own (it’s usually changed every now and then by the dev) meaning exploits would just fire it with the password required and be unaffected.
Even if you did create a password system AND it was incredibly difficult to find the password, exploiters are able to change the arguments in remotes before they are sent to the server, meaning that they could just edit the values to whatever they please.
Like someone said before, anything on the client get be taken and manipulated
Even if the developer does change the key every few days or what not, exploits have the ability to get the arguments of a remote event call, thus being able to automate this
Just do sanity checks on the server and you should be fine