Hi, I have some random game with limited time event on it, where you can teleport just by using Teleport Service (via any executor). So, I’m here to ask y’all: How can I make a script, that will protect TeleportService from exploiters, but them will be able to TP into it with legal method?
6 Likes
It will be so helpful, because there’s too much of hackers that can get any expired event’s PlaceId, just by knowing root place’s UniverseId and teleporting into it.
2 Likes
I don’t think there’s really anyway to protect against that in your main game.
Do a check when the event game realizes that the player teleported. You should probably verify using some key or check if they meet some requirement
1 Like
Do you want to make it so that only players from your game can teleport there? And is this done through one game simply as an additional place, or are these two different games?
1 Like
I want to make that only player can teleport there. It was created in additional place (one Universe).
1 Like
I just want to protect game:GetService(“TeleportService”) from exploiters
1 Like
Then it’s simpler; create an additional cell in the DataStore. When a player teleports, save the value, for example, ‘Teleported’ with a value of True. This way, the game can know that the player teleported from where it needs to
2 Likes
You could use the __call / __namecall method and check whether it’s the client or the server calling it and from there you can stop them
Unsure if the metamethod will work now or not though
local mt = setmetatable({}, game:GetService("TeleportService"))
mt.__index = mt
mt.__call = function(t, …)
if game:GetService("RunService"):IsServer() then
-- assume you’re good ig
end
else
print("client calling")
end
end
2 Likes
Good idea, but I don’t know how can I do that lol
1 Like
Thanks, I will try it tomorrow, because I need to sleep rn lol
2 Likes
If you already have save data for the game, you can add this item there. If not, I can create this separately for you
The option for the server where the player is teleporting from
local DataStore = game:GetService("DataStoreService")
local TeleportData = DataStore:GetDataStore("Teleports")
---- Teleport Function
local PlayerKey = tostring(Player.UserId)
local Data = {
["Teleport"] = true
}
TeleportData:SetAsync(PlayerKey,Data)
The script option in the game where the player is teleporting to
local DataStore = game:GetService("DataStoreService")
local TeleportData = DataStore:GetDataStore("Teleports")
game.Players.PlayerAdded:Connect(function(Player)
local Key = tostring(Player.UserId)
TeleportData:UpdateAsync(Key,function(Data)
if Data ~= nil then
if Data["Teleport"] == true then
Data["Teleport"] = false
return Data
elseif Data["Teleport"] == false then
Player:Kick()
end
elseif Data == nil then
Player:Kick()
end
end)
end)
3 Likes
Yeah I’m still not sure if it works though. I’ve barely used __call and I’m also unsure if you place the script on the server, the client will call and it’ll activate
I wouldn’t mark mines as a solution yet so yeah
2 Likes
I’ve just tried, it’s not working
1 Like
TeleportData is also transmitted to the client, so an exploiter can catch this and call a teleport with that data themselves.
Best solution afaik is to use Reserved Servers. Those need to be created by the server and have an authentication code to teleport to.
In the event place, check if it’s a reserved server and otherwise kick the player.
local isReserved = game.PrivateServerId ~= "" and game.PrivateServerOwnerId == 0
2 Likes
Thanks, but I remember one tutorial where the script changes smth to random name (by using httpservice or smth else), but I lost it. It change the name every second.
I don’t remember where I found this tutorial, but it was on YT.
Ok, I’ll back tomorrow bcuz it’s time to sleep in my country and I want to sleep too much. It’s middle of the night rn lol
You could try to protect the teleport data a bit with cryptography. Roblox’s GDPR data erasure webhooks send you a packet of data with an HMAC-SHA256 signature that is encrypted with a secret you provide. If you include an expire time, like 1 minute based on os.time() (NOT tick()), that is cryptographically signed, you’d have a hard time getting any use of reusing and a really hard time forging new teleport data with a different expire time. Simply kick the player if the signature does not match or the time has expired. Lots of enterprise applications use formats like JSON Web Tokens (JWTs) with short expiration times (5 minutes to an hour, for example) with this exact setup.
2 Likes
Thanks, but Idk how to use is.time(), I’m not learned how to use it.
I’m trying to get an understanding of this myself… since I will need to do the same soon.
-
As a confirmed player on the Experience server … is there a way to use a Badge/Token (received upon official joining/playing) … an they can use this as confirmation that they may teleport to other places… or experiences (if 3rd party games are activated in Studio).
And as a safety measure… if they don’t have this Badge/Token … they get kicked anyway. -
If 3rd party games are not activated/allowed… can they still teleport to other :
(a) PLACES within that experience… with 3rd party off ?
(b) or even the main experience itself … with 3rd party off ? -
Lastly, and a little more complicated :
Wouldn’t it be possible… (3rd party activated or not) … to only teleport to preregistered places (experiences much less) using our PlaceID’s ?
If they enter illegally… they get an immediate & permanant ban.
Would be interested on your feedback. Thanks.