Question about ReplicatedStorage

Could an exploiter, by chance, change an object in ReplicatedStorage’s parent to something else?

Thanks!

2 Likes

Yeah, but that part would only be visible to them, meaning for example if there’s a part in replicated storage and they parent it to workspace, only they would see it, it wouldn’t be there for anyone else. However exploiters can’t access stuff in ServerStorage.

With exploiters there are 2 main ones to worry about

  1. Local Only:
    this means anything they run works like a local script.

  2. Local And Server
    this means they can access most things a script and local script can

If you are unsure of what they can change make it so you can see all hidden aspects of the game. make a local script / script and see what you can change from each of them.

Exploiters can access other things e.g listen to remote events. but its much more uncommon.

1 Like

Ok, just wanted to be sure how I would go about doing something! Thanks @minimic2002 and @ScriptingSausage!

That is mostly incorrect. Exploiters can access your server storage, and if they have any sort of paid / key exploit they can exploit the entire workspace for all clients.

Really? I’ve always heard that exploiters cannot access the contents of Server Storage or Server Script Service, if they can, what’s the point of Server Storage as opposed to replicated storage

Basically when it comes to hackers, assume nothing is off limits.

They can get at stuff you didnt even know was there.

Can I ask where you heard that exploiters can access server storage and make changes on other clients? It’s interesting because I’ve never heard it like that

1 Like

They can’t, the contents there are inaccessible to clients. Same for ServerScriptService.

1 Like

They cant do it to individual clients that I know of. but they can make it effect anything that is in the game. (so basically all client at once),

And ive seen it done a few times. plus anti exploits is something I was working on a while ago.

Unfortuantly due to terms of service I cannot reveal where to find it and relevant information to show you. People can literally just download a premade exploit from the internet.

Exploiters can’t access to the ServerStorage, read or edit the content, unless there’s a function/event that does that. Read more about ServerStorage here:

2 Likes

Thats partly true, you missed the fact that some exploits can run server side. Plus some local ones might have a function made to find and edit stuff

Pretty sure exploiters can’t access server scripts either, so they can’t do things server side, but I’m not an expert

If those exploits are working, then that means there could be either a backdoor, or something unsecured that fires those functions, read more about exploiting here. This discussion can continue in DMS as it’s getting off-topic to the main question.

I’d like to clarify a lot of what’s being mentioned here as there appears to be a lot of misunderstanding about what exploits have access to.

This is very much true. A rule you should be aware of is “My machine. My rules”. Expect that I can change anything I want to on my client regardless of any restrictions such as script context, etc.

Exploits cannot run server-sided code by default. Server-sided access to your game is introduced by backdoors contained within free models that expose RemoteEvents, etc. to be able to run server-sided code from the client. This can be mitigated by making sure that you properly audit all code and third-party assets you add into your game.

Exploits cannot read the source of your server-side scripts.

To address the question in the original post:

Yes, they can parent instances to where they want but these changes are local only due to Roblox’s FilteringEnabled feature that’s forced on all games.

Most common exploits abuse things that do replicate such as physics (e.g. walkspeed, noclip, teleporting, etc) and abuse things with Roblox replication such as exploits with welds that was used to crash servers at some point.

A lot of exploits you can easily detect and the best security is to ensure that your RemoteEvents are secured by making sure not to accept random packets you’re not expecting, etc. A good rule is to never trust the client.

Also, not to discredit Roblox, but it’s always best to not rely on Roblox to protect your game. Make sure you do verify stuff such as character position for events and verify physics, etc. as all these things can be spoofed by the client if the exploiter wished to do so.

3 Likes

Thanks so much, this really helps! Big thanks to everyone who replied to this thread!