Players.Chat not rate limited, can send large amounts of data to crash servers

Bug Reports Engine Bugs
#1

Please private or hide this message if it is considered an active exploit, thanks.

This method:
https://developer.roblox.com/en-us/api-reference/function/Players/Chat
does not seem to have a rate limit in data transfer. (though it is PluginSecurity, it is accessible on the client to exploiters)
This can be used to crash servers and disconnect other players.

Repro in studio:
Open studio and run two clients.
Run this on one client.

local Message = ("/".. "_____".." "):rep(100000)
for i = 1, 1000 do
    game.Players:Chat(Message)
end

Notice spike in “recv” network for the other client.

Screenshots:
Baseline RECV:

Capture d’écran 2021-01-04 à 5.51.38 PM
Capture d’écran 2021-01-04 à 5.51.38 PM1413×837 276 KB

Spiked RECV:

Capture d’écran 2021-01-04 à 5.50.29 PM
Capture d’écran 2021-01-04 à 5.50.29 PM1377×875 283 KB

I don’t have any “client code executors” to run this on live servers, but it will “crash” live servers, disconnecting other players on the server (confirmed to have seen this behaviour in action, and gotten reports).

I am currently using this code to mitigate this exploit:

--This event should not ever be used, kick if raised
local kick_on_chat_fn = function(player)
	local connection
	connection = player.Chatted:Connect(function(Message)
		player:Kick("Invalid")
		connection:Disconnect()
		warn("Kicked player because Chatted event was fired", player.Name)
	end)
end
game.Players.PlayerAdded:Connect(kick_on_chat_fn)
for _, player in pairs(game.Players:GetPlayers()) do
	kick_on_chat_fn(player)
end

Which kicks anyone that raises the player.Chatted event (I haven’t checked if default chat uses this event).

12 Likes
#2

tl;dr Yes it does.

When you use the chat bar, the chat scripts fire the SayMessageRequest remote, as well as an event called MessagePosted.
The event is created by using SetCore with CoreGuiChatConnections, and its direct callback is a corescript which calls game.Players:Chat(message).

So yeah deploying that code into a live game wouldn’t be the best idea, unless you edit the chat scripts and make them not fire MessagePosted.

Also you can fire MessagePosted manually to reproduce the spam in a live game without using executors.

6 Likes
#3

Hi, thanks for filing this. Is this issue still occurring?

#4

Yeah, can still happen. I’ve added the mitigation mentioned to robeats, but still affects most other roblox games (especially effective on roblox games that have large servers).

#5

Thanks for the report! We’ve filed a ticket to our internal database and we’ll follow up when we have an update for you.

Please note that filling a bug report does not guarantee that it will be fixed once triaged.

2 Likes
#6

Thank you for being patient. At this point this issue should be resolved! If this issue is still occurring, please create a new topic for us to look into.

5 Likes
#7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.