PromptProductPurchaseFinished Vulnerability Fix

I don’t see this as vulnerability, this is just a learning issue. You’ve used the wrong event, the PromptProductPurchaseFinished is for interfaces.

The callback with ProcessReceipt is made because a developer product isn’t stored in the player’s inventory, unlike gamepasses & assets. If you call NotProcessedYet, Roblox will call the callback indefinitely to ensure reliability. This is unnecessary for gamepasses & assets.

bruh lol

3 Likes

You can’t recheck with MarketplaceService:UserOwnsGamePassAsync because it caches as explained here:

If the pass is purchased in-experience through PromptGamePassPurchase(), this function may return false due to the caching behavior.

Furthermore, Roblox has official documentation that implements the PromptGamePassPurchaseFinished event handler without rechecking, instead relying on the wasPurchased parameter.

See above

2 Likes

You can fake WasPurchase with SignalPromptGamepassPurchaseFinished…

Yes I know. I’m saying that the official documentation uses an implementation that is not secure. My point is that the MarketplaceService API does not provide a way to verify the in-game purchase of a gamepass that is both reliable and secure.

2 Likes

Do you have the source code for any of this??

game.MarketplaceService:SignalAssetTypePurchased(ticket: string, playerId: int64, productId: int64)
game.MarketplaceService:SignalPromptBundlePurchaseFinished(player: Instance, bundleId: int64, success: bool)
game.MarketplaceService:SignalPromptGamePassPurchaseFinished(player: Instance, gamePassId: int64, success: bool)
game.MarketplaceService:SignalPromptProductPurchaseFinished(userId: int64, productId: int64, success: bool)
game.MarketplaceService:SignalPromptPurchaseFinished(player: Instance, assetId: int64, success: bool)

^^ According to the API

For Example, faking a successful PromptProductPurchase would be

game.MarketplaceService:SignalPromptProductPurchaseFinished(game.Players.LocalPlayer.UserId,1797531211,true) 
1 Like

This sucks that means exploiters can get free gamepasses with 1 line of code (rip my money is wasted now because of exploiters until roblox fixes this)

The documentation currently states that it should not be used for handling purchases but it’s not that evident, should most likely have a warning label and should mention that it’s vulnerable to exploits

2 Likes

what i’ve done to patch it for now is immediately re-checking directly with the API using https://inventory.roblox.com/v1/users/{userId}/items/GamePass/{gamepassId}. it doesn’t seem to cache from what i’ve tested, but it’s really inconvenient that people are going to need an entire roblox proxy just to make sure people can’t fake gamepass purchases

3 Likes

Billion dollar company btw, my games economy was almost destroyed. :+1:

1 Like

Bilion dollar company and they struggle fixing this vuln but adding useless topbar that no one asked for to the devforum doesn’t look like a big trouble for them.

2 Likes

Roblox has its priorities, this is obviously not important.

Genuinely, this is like one of the many examples of the insane disconnection to the community lol, no response to something this large is actually crazy.

2 Likes


It’s crazy what happens when you read.

3 Likes

are u sure PromptGamePassPurchaseFinished is it vulnerable? because there is no processreceipt for gamepasses

Your first sentence made me almost write a whole paragraph, then I understood that it was ironic. :skull:

Get rid of it as fast as you can, you’re gonna have to find a other way to track gamepasses.

It’s still a vulnerability, so it should be fixed either way.

still its a vulnerability

how about gamepasses? skids can just send fake signal to server and pretend to have all gamepasses in existance (aka free stuff without paying roblox piracy??)

i’ve tested this in my game and the PromptGamePassPurchaseFinished does not seems to be vulnerable, but the products was

you could say that remote events fired from the client are a vulnerability. you are given tools by roblox engineers and they tell you how to use them. you cant sue a sewing machine company because you tried to hammer a nail in with it and broke the sewing machine

2 Likes