Passwords for remote events?

Qu1rkify · June 20, 2021, 3:21am

Recently, I’ve been thinking of ways to prevent hackers from exploiting remote events. I came up with the idea to add passwords to remote events so hackers can’t just enter the parameters of the event and execute a random server function.

Example

Client:

local Event1Password = "6345342345557465!!!?????///erfdwerf"

Event1:FireServer(Parameter, Parameter, Event1Password)

Server:

local Event1Password = "6345342345557465!!!?????///erfdwerf"

Event1:OnServerEvent:Connect(Function(Parameter, Parameter, Password)
     if Password == Event1Password then
          -- Blah Blah Blah
     end
end)

Is this a good idea? Is there anything else that would would similarly? Please let me know

BUILDERMANcameback · June 20, 2021, 3:25am

The problem with the client is exploiters can just check the local script and have the password.

Qu1rkify · June 20, 2021, 3:29am

I thought exploiters could only detect if a script exists and not read it?

Relukn · June 20, 2021, 3:29am

They could just get the password when it’s fired.

steven4547466 · June 20, 2021, 3:29am

Anything on the client can be taken. Models, scripts, etc.

The only way I can think of doing something like this is a randomly generated cryptographic signature that updates every time the remote is fired (or is generated based on a date time) and has validation on the server and then heavily obfuscated local script code. The problem is security through obfuscation like this still doesn’t work it just makes it a little bit more annoying to reverse engineer. If you put garbage functions that don’t do anything and obfuscate that along side it, eventually it’d be really difficult to tell how the cryptographic signature is generated and how the event is fired, but it’s still not a perfect solution at all.

ItsPlasmaRBLX · June 20, 2021, 3:30am

Exploiters can see anything on the client, including client arguments.

Qu1rkify · June 20, 2021, 3:41am

This helps a lot, thanks

cpguy5089 · June 20, 2021, 3:47am

I have heard of games using passwords with remotes before, however from what I gather the passwords don’t change on their own (it’s usually changed every now and then by the dev) meaning exploits would just fire it with the password required and be unaffected.

Qu1rkify · June 20, 2021, 4:01am

Is there any other way to protect remote events? I’ve had a hard time finding alternatives

wc3u · June 20, 2021, 4:01am

Even if you did create a password system AND it was incredibly difficult to find the password, exploiters are able to change the arguments in remotes before they are sent to the server, meaning that they could just edit the values to whatever they please.

Server-side sanity checks.

zachariapopcorn · June 20, 2021, 4:02am

Like someone said before, anything on the client get be taken and manipulated

Even if the developer does change the key every few days or what not, exploits have the ability to get the arguments of a remote event call, thus being able to automate this

Just do sanity checks on the server and you should be fine

Qu1rkify · June 20, 2021, 4:03am

Sanity check? never head of it

edit: nvm sorry