PromptProductPurchaseFinished Vulnerability Fix

MusicIndoctrination · April 23, 2024, 2:45pm

PromptProductPurchaseFinished is deprecated so doubt, you cant access SignalPromptProductPurchaseFinished in normal means as its used for corescripts

AzertyFRYT · April 24, 2024, 8:15am

i feel like Roblox should just delete this function or at least limit it to the point that it can’t be used to handle purchases. It can be confusing for unexperienced people when they learn it

JakeUpTheBomb0_0 · April 24, 2024, 6:46pm

Thanks, been trying to find a secure way to handle purchases.

Nekoshirowa · April 24, 2024, 11:39pm

I don’t know if am missing something important but from what I seen on the scripts you provided it seems you rely on PromptProductPurchaseFinished event to grant player’s purchases. Now correct if am wrong but YOU SHOULDN’T USE PROMPTPRODUCTPURCHASEINISHED to rely on granting player’s purchased items.

It states You can use this event to detect when a purchase prompt is closed, but it should not be used to process purchases; instead use MarketplaceService.ProcessReceipt.

Most of these “hacks/exploits” seem to work just because the developer is an ignorant. Always double check the api in sensitive cases like these.

MusicIndoctrination · April 24, 2024, 11:55pm

didn't read the second or third paragraph

Yes that is correct, but some UGC games “tax evade” because of the obsurd 20000 robux fees to publish a paid limited, so the alternative is use dev products, but ProcessReceipt processes instantly after bought, but PromptProductPurchaseFinished processes after you press “Ok” on the buy button.

You are correct
Though this isn’t just a vulnerability with PromptProductPurchaseFinished, theres multiple that this is affected.
It is much simpler to use PromptProductPurchasedFinished compared to ProcessReceipt.

xChris_vC · April 25, 2024, 6:04am

I don’t see this as vulnerability, this is just a learning issue. You’ve used the wrong event, the PromptProductPurchaseFinished is for interfaces.

The callback with ProcessReceipt is made because a developer product isn’t stored in the player’s inventory, unlike gamepasses & assets. If you call NotProcessedYet, Roblox will call the callback indefinitely to ensure reliability. This is unnecessary for gamepasses & assets.

bruh lol

mutex_lock · April 25, 2024, 12:36pm

You can’t recheck with MarketplaceService:UserOwnsGamePassAsync because it caches as explained here:

If the pass is purchased in-experience through PromptGamePassPurchase(), this function may return false due to the caching behavior.

Furthermore, Roblox has official documentation that implements the PromptGamePassPurchaseFinished event handler without rechecking, instead relying on the wasPurchased parameter.

See above

MusicIndoctrination · April 25, 2024, 2:42pm

You can fake WasPurchase with SignalPromptGamepassPurchaseFinished…

mutex_lock · April 25, 2024, 3:09pm

Yes I know. I’m saying that the official documentation uses an implementation that is not secure. My point is that the MarketplaceService API does not provide a way to verify the in-game purchase of a gamepass that is both reliable and secure.

bvetterdays · April 25, 2024, 3:58pm

Do you have the source code for any of this??

MusicIndoctrination · April 25, 2024, 4:07pm

game.MarketplaceService:SignalAssetTypePurchased(ticket: string, playerId: int64, productId: int64)
game.MarketplaceService:SignalPromptBundlePurchaseFinished(player: Instance, bundleId: int64, success: bool)
game.MarketplaceService:SignalPromptGamePassPurchaseFinished(player: Instance, gamePassId: int64, success: bool)
game.MarketplaceService:SignalPromptProductPurchaseFinished(userId: int64, productId: int64, success: bool)
game.MarketplaceService:SignalPromptPurchaseFinished(player: Instance, assetId: int64, success: bool)

^^ According to the API

For Example, faking a successful PromptProductPurchase would be

game.MarketplaceService:SignalPromptProductPurchaseFinished(game.Players.LocalPlayer.UserId,1797531211,true)

Bakonowychlopak123 · April 25, 2024, 4:41pm

This sucks that means exploiters can get free gamepasses with 1 line of code (rip my money is wasted now because of exploiters until roblox fixes this)

Indominiso · April 26, 2024, 7:33pm

The documentation currently states that it should not be used for handling purchases but it’s not that evident, should most likely have a warning label and should mention that it’s vulnerable to exploits

NobleReign · April 27, 2024, 1:04am

what i’ve done to patch it for now is immediately re-checking directly with the API using https://inventory.roblox.com/v1/users/{userId}/items/GamePass/{gamepassId}. it doesn’t seem to cache from what i’ve tested, but it’s really inconvenient that people are going to need an entire roblox proxy just to make sure people can’t fake gamepass purchases

syntaxRaffa · April 28, 2024, 8:17pm

Billion dollar company btw, my games economy was almost destroyed.

Bakonowychlopak123 · April 29, 2024, 5:04pm

Bilion dollar company and they struggle fixing this vuln but adding useless topbar that no one asked for to the devforum doesn’t look like a big trouble for them.

tabby0x · April 30, 2024, 5:10pm

Roblox has its priorities, this is obviously not important.

Genuinely, this is like one of the many examples of the insane disconnection to the community lol, no response to something this large is actually crazy.

4UnderscoreRa · May 1, 2024, 2:20am

It’s crazy what happens when you read.

hakplays · May 10, 2024, 7:00pm

are u sure PromptGamePassPurchaseFinished is it vulnerable? because there is no processreceipt for gamepasses

syntaxRaffa · May 19, 2024, 5:10pm

Your first sentence made me almost write a whole paragraph, then I understood that it was ironic.