PromptProductPurchaseFinished Vulnerability Fix

As the documentation states; the UserOwnsGamepassAsync API caches and doesn’t update the result if a player purchases the gamepass while in-experience.

2 Likes

Is this vulnerability fixed for PromptGamePassPurchaseFinished?

I believe it (kinda) is, though if you don’t have proper checks, exploiters can still call it multiple times and get ingame rewards multiple times. (if you reward then via PromptGamePassPurchaseFinished)

How would you perform proper checks?
You can’t really use UserOwnsGamePassAsync because of its caching behavior.

Why would you use promptproductpurchasefinished though? Handling devproducts is meant to be in a callback function with processreceipt.

Is there any way to safely listen to assets and bundles purchases? as ProcessRecepit only works for developer products. :man_facepalming:

EDIT:
Probably forced to use, PlayerOwnsAsset and PlayerOwnsBundle few seconds later… kinda sucks ngl.

EDIT 2:
Also have to check if the user already bought it or once purchased they can spam and cheat it.


This image best describes how vulernable PromptPurchaseFinsihed and PromptGamePassPurchaseFinished can be. As the poster of this X post states, you can continuously fire the isPurchased parameter with true if you own the asset/gamepass. The only way to prevent this is like what the author says, use checks beforehand, I’ve used the roblox inventory API with a proxy due to the limitations of PlayerOwnsAsset (does not return every copy of an asset a player owns, ex. collectible limited, ugc limited)

1 Like