Possible GamePass exploit

Alagrim · September 7, 2020, 5:30am

I created a gamepass that works but I am unsure if it can be exploited. The gamepass gives you a sword when you purchase it and whenever you respawn or load in. When I created the script, I noticed that when you buy the gamepass, it does not allow you to respawn with it as the game thinks that you still have not bought it, so I created a kind of toggle for first time buyers in the form of a remote event. The remote event named “PURCHASE” would normally be set to false for non-buyers and those who have bought it already and rejoined, but set to true for first-time buyers in the server so they can respawn with the sword. I am not sure if exploiters would be able to set “PURCHASE” to true so they can bypass buying it. I would like to know if this is even possible, and if there is a better way to write the script.

Localscript in StarterPlayerScripts :

local Players = game:GetService("Players")
local ReplicatedStorage = game:GetService("ReplicatedStorage")
local SWORD = ReplicatedStorage:WaitForChild("SWORD") -- Remote Event
local PURCHASECHECK = ReplicatedStorage:WaitForChild("PURCHASECHECK") -- Remote Event
local MarketplaceService = game:GetService("MarketplaceService")
local gamepassID = 11579895
local PURCHASE = false -- Set to false for non-buyers and those who bought and rejoined/bought in store


PURCHASECHECK.OnClientEvent:Connect(function(player)
	PURCHASE = true
end)


game.Players.LocalPlayer.CharacterAdded:Connect(function(player)
	repeat wait() until player.Parent	
	local player = game.Players.LocalPlayer
	local hasPass = false
	
	local success, message = pcall(function()
		hasPass = MarketplaceService:UserOwnsGamePassAsync(player.UserId, gamepassID)
	end)
	
	if hasPass or PURCHASE == true then
		SWORD:FireServer(player)
	end
end)

Script in ServerScriptService :

local MarketplaceService = game:GetService("MarketplaceService")
local ReplicatedStorage = game:GetService("ReplicatedStorage")
local Sword = ReplicatedStorage:WaitForChild("ClassicSword") -- The sword given by the gamepass
local gamepassID = 11579895
local SWORD = ReplicatedStorage:WaitForChild("SWORD") -- Remote Event
local PURCHASECHECK = ReplicatedStorage:WaitForChild("PURCHASECHECK") -- Remote Event

MarketplaceService.PromptGamePassPurchaseFinished:Connect(function(player, purchasePassID, purchaseSuccess)
	if purchaseSuccess == true and purchasePassID == gamepassID then
		print(player.Name.."purchased the game pass")
		local swordclone = Sword:Clone()
		swordclone.Parent = player.Character
		PURCHASECHECK:FireClient(player) -- This would turn PURCHASE to true to allow first time buyers in the server to respawn with sword
	end
end)

SWORD.OnServerEvent:Connect(function(player) -- Respawn with sword function
	local swordclone = Sword:Clone() 
	swordclone.Parent = player.Character
end)

Chrofex · September 7, 2020, 5:36am

This is definitely exploitable since any exploiter could just fire the event. What you could do is check if the player owns the game pass on the server before giving them the sword.

bongusbingis · September 7, 2020, 5:53am

Always check info on the server and not the client. Otherwise, an exploiter can just completely bypass your script and fire the remote.

I would use a remote function, and then return true/false from the server based on whether or not the user owns the gamepass.

TwyPlasma · September 7, 2020, 5:53am

You should do it on a server side script as server scripts cannot be decompiled by exploiters. Only client sided things can be exploited such as Local Scripts and Remote Events

Vernlage · September 7, 2020, 7:09am

It probably is exploitable due to exploiters literally being able to change their own identity to yours, example they can change their ID to yours or to anyone who owns the gamepass and then they’ll automatically recieve the gamepass for free