Roblox Anti-Exploit, Theft, & Plagiarism - Why we need Changes Now

Roblox is a wonderful platform that encourages kids and adults of all ages to learn the basics of modeling, coding, art, you name it! It’s grown so much over the 10 years I have been on the platform, however there is one major flaw that to this day hasn’t been focused on near enough. It’s gotten so bad that the Roblox platform is popping up left and right on the news and social media… that issue is the poor anti-cheat system Roblox has.

What is anti-cheat?

When the software detects a cheat on a player’s system, it will ban them in the future, possibly days or weeks after the original detection. It may kick players from the game if it detects errors in their system’s memory or hardware. Some great examples of these are Valves VAC system, DICE’s Punkbuster, and Blizzards Warden system.

Why is anti-cheat important to Roblox?

“It’s just a kids game! Who cares is someone speedruns or something?” That’s an old way of thinking. These exploits we have seen being placed on the platform have done nothing but cause absolute chaos, hence why Roblox came out with the Filtering Enabled system. However that does not stop the issue.

The other day I saw on a few major news stations putting Roblox under fire for a 7 year old being ‘gang-raped’ with these exploits. Comment after comment was angry and concerned parents saying how that they will be removing their child’s account and cancelling the membership. So yes, it has it’s impact on the company as a whole with these stories getting out.

We must also remember, if you have about 15 minutes of free time you can download several of the programs that by-pass robloxs’ system. It’s not hard to do, and as Roblox grows we see this becoming more and more frequent.

Place Theft & Plagiarism

Another popular thing to do with these exploits is to steal developers hard earned time, investments, and assets by copying entire places, maps, code work, everything. Even with FE enabled it’s far to easy to steal places. Of course the way Roblox is setup, it’s almost impossible to hide most of the in-game assets, however this brings back the original theme… Anti-exploit systems that stop the user from even opening the extractor or exploit before they get the chance to use it.

Place theft is a huge issue, in the past few days alone I’ve found several of my personal projects that I have spent weeks and even months on stolen and being SOLD as if they owned it. If you where to go and steal a Valve map, or an Overwatch asset… you’d be finished. There is currently 0 punishment dealt out for those caught with stolen places or ones selling stolen places/clothes/assets. They may have the place taken down if you contact DevRel, but that’s about it. The damage is already dealt.

The Solutions

I’m not a web engineer. I myself have a hard time wrapping my head around all of this, however I am a concerned developer who hates seeing negative news about the platform, as well as hates seeing myself and others hard work stolen and profited from. Here’s a few suggestions, and I would love some more to be pitched in if possible:

1. Revamp the current anti-cheat system. It’s next to useless, if it was of value we wouldn’t be seeing this issue get worse and worse daily. We should be going after Blizzards or BattleEye’s anti-cheat system, it gives you a ToS you must agree to that allows your files and programs to be scanned for cheat software.

With the ability to actually enable Roblox to scan the users files for these programs the second they hit ‘Play’ will stop 95% of the issues before they arise.

2. Revamp the ‘Report’ box section. Adding in a new selectable box of “This may be a stolen place or item” will help players to work at reporting obviously-stolen items, clothes, and places. Similar to what you must do when you contact DevRel, have the player post the link to the original asset and then to the stolen one and it will be reviewed.

3. Punish users caught stealing, botting, or exploiting. I know there’s already punishments for exploiting and harmful botting, but it seems like the second one account gets banned they make another. We should be taking this a step further and perma-banning the email/computer/IP linked to that account entirely from the website. For those caught simply stealing/reselling places that do not belong to them, a temporary ban would hopefully scare them away from trying it again.

The Conclusion

Roblox is a great platform with lots of potential. However as of now the bots and easily exploitable system is holding the entire platform back as a whole. If we where to put even a slight dent in these things, the platform would draw in many many more individuals. As of now we focus so much on the safety of the kids through the chat system that we’re completely missing the other half of the issue, that is these horrible exploits and phishing links mass-spammed by bots.
We could go on and on about the botting issue, but we’ll leave that for another day.

Please Roblox, stop band-aid fixing these issues. They are serious and are heavily damaging developers who spend months of our time on our games and assets just to have them stolen. Take this matter serious and come up with a user-friendly solution that will both punish and put a halt to the ones breaking the rules.

The first example you mentioned probably didn’t have filtering enabled, so the upcoming changes that mean users can only play non-FE games with their friends kind of render anti-cheat for that purpose redundant.

As for clientside exploits involving physics, I would rather just implement server side position delta / collision checks to see if they’re moving fast / flying / noclipping than have anticheat. Anticheat software can get pretty intrusive.

I hate to be that guy, but

• There is already antic-cheat and it does stop quite a bit. I agree that it needs to be improved, but it seems a lot of exploits nowadays are down to the dev

• Place stealing is impossible to counter - if anything is on the client, it’s completely takeable. Any form of DRM would only slow exploiters down and make roblox far more problematic to be developed on.

I never said it was possible to stop making place and asset theft stoppable; I however did make the suggestion of starting to actual punish users caught doing it or attempting to resell the assets as their own. If I make a map for a user with the intent to sell it for 350, 000 Robux and someone steals it and resells it to 10 other groups or people, that only effects and harms myself and the original customer. Punishing these ones and letting users report them would discourage ones from doing so.

This post shows a huge misunderstanding of cybersecurity.

Here’s two things that you don’t seem to understand.

1. If the client can see it, they can steal it.
2. As long as LocalScripts exist in any form, it is impossible to stop client side hacking. This includes non-FE places where the “gang rape” certainly took place.

No amount of anti cheat protections will nullify any of these two.

First of all, Roblox DOES have an anti cheat. The compiler was removed, the bytecode spec is updated frequently (to my knowledge), and Roblox has systems in place to where cheat creators have to change their hacks every update. The problem is that it is impossible to stop these exploits once and for all. Script injectors will always exist because they work the exact same way running a LocalScript would. They call the same functions in Lua’s underlying API and when they error you can see in the console that they’re a normal LocalScript. How do you stop script injectors once and for all? Remove LocalScripts, which obviously isn’t going to happen.

Second of all, the availability of these exploits is irrelevant. Just because they’re more common doesn’t mean they’re any easier to stomp out. If it was as easy as you like to think it is, it would’ve been done already.

Thirdly, place stealing is a problem impossible to fix. The client needs the places to be able to play on them, which means they can steal them. There is nothing you or Roblox can do about this.

The rest of your posts insinuate that it’s plainly simple to patch these out, but what you don’t understand is Roblox already has an anti-cheat that does what you ask it to, and exploits have already gone around it. Same for every other major title.

Including an intrusive BattlEye-esque program only hurts the people who don’t cheat. Everyone who cheats will figure out what functions the anti cheat calls, detour them to pure garbage or at the very least in a way that makes it look like the programs don’t exist, and get around it. That’s exactly what the people who had to deal with BattlEye did, ignoring the fact that it gave you ring 0 access when you exploited it.

Revamp the ‘Report’ box section. Adding in a new selectable box of “This may be a stolen place or item” will help players to work at reporting obviously-stolen items, clothes, and places. Similar to what you must do when you contact DevRel, have the player post the link to the original asset and then to the stolen one and it will be reviewed.

Agreed.

We should be taking this a step further and perma-banning the email/computer/IP linked to that account entirely from the website.

Anyone who can steal places and release them in ways that are actually damaging likely knows how to change their IP, and a large majority don’t even have to know that considering dynamic IPs are a common thing now.

And I fully agree, it’ll always be impossible to stop exploits or place stealing from happening. I am however firm on my statement of how there seems to be almost nothing done to those caught with, or selling those assets. This isn’t just places.

• We have THOUSANDS of botted clothes flooding out the originals.
• With a simply search I can find almost any popular games map on the library

These need to be dealt with. It may be next to impossible to STOP the stealing from happening, but it is more then possible to start at least taking down and punishing ones trying to redistribute or sell the items as their own. And that’s what this thread is for, to come up with ideas.

They need to add something for mesh and csg that doesn’t allow them to load on anything other than the original owner or groups games.

I think that would be possible as well, considering I knew an ex-exploiter who attempted to rip a map but anything that was CSG wasn’t be rip-able.

It would have to be toggleable so that models you make free or sell wouldn’t become completely useless.

Also if it works like animations then it would be a massive headache for teamcreate. I help make a game with a friend on his profile and I have to use his account or ask him to make changes/test animations. It’s incredibly frustrating. If the same happened with csg and meshes it would be impossible to work on.

Honestly, there’s no permanent solution in the long run for this.
Exploiters will always find a way, which is an uneasy feeling to cope with as a developer.

But there’s always a big bandaid we can place every now and then to solve it temporarily.

You can even use proxy’s and VPN’s to change IPs to.
And ofc you can trace that to, but yeah.

The first solution seems a bit invasive to me, especially growing up seeing other people’s parents restricting what they can do because ‘oooh Roblox looks like a virus because you need to download it!’.

But yeah, I agree with most of the points. I’m dumb in this area, but I would think that there are cases where anti-exploits have worked pretty well (i.e. Valve’s stuff).

Actually, if I’m correct, aren’t people under 13 currently not aloud to play non-FE games? The user depicted in the article was listed as under 13, so that would mean the place would of probably of been FE anyways

This is absurd, FE is not some sort of wall you just “bypass”.

And I’m fairly sure the FE age rule only takes the games off the sort, but I’d need confirmation on that.
Confirmation: I can play non-FE games on <13 alt.

image1366×768 306 KB

This is completely false, there is no way for the client to impact the server in a general sense (as in, you can manipulate the physics of parts you own, but you can’t arbitrarily change anything) when FilteringEnabled is on.

I made a similar post about this not to long ago.
https://devforum.roblox.com/t/ways-to-protect-your-game-from-exploiters/140369/36

Unfortunately if people steal your stuff you can report it but it’ll take a while for the leaked copy to get taken down. If it gets taken down at all.

I strongly agree we need better protection. I also want to have normal team create in group games so developers don’t have access to all the assets of a certain game. Meaning builders will only be invited to building places and cannot access the main game.

I don’t know how Roblox’s anti cheat works, but the best one I’ve ever seen is ESEA’s CS GO anti cheat, it is literally impossible to cheat there, of course you can, but the anti cheat is so good you will be detected within minutes and the cheats that bypass it in any way are very private and cost thousands of dollars. I’d love to see Roblox create something like that, but I believe it involves scanning files on your computer which might not be ideal for a lot of people.

Players under 13 can still player non-FE games, also known as experimental games, but games that are in experimental mode will not appear on game sorting meaning those players will need to have a direct link to the game page or follow a friend to play a game in experimental mode.

Also, what exactly do you mean by “bypasses”. I don’t think you quite understand what the FilteringEnabled property does. The FitleringEnabled property prevents any changes the client makes from replicating on to the server.

However, when you say “bypasses”, you may be thinking of one of the few exceptions to this property, but they are not per say bypasses. Those exceptions to the FilteringEnabled property would be:

• Some properties on the local Humanoid
• Sound playback, when SoundService.RespectFilteringEnabled is set to false
• ClickDetector input events
• AnimationTrack playback
• Physics simulated on BaseParts which the client has network ownership of

I’d recommend you read up on these articles to learn more in-depth about the FilteringEnabled property and how it works:

• http://robloxdev.com/api-reference/property/Workspace/FilteringEnabled
• http://robloxdev.com/articles/Experimental-Mode
• http://robloxdev.com/articles/Converting-From-Experimental-Mode

ESEA on CS:GO is an edge case that only works because it specifically targets common CS:GO cheats (e.g. detecting DirectX detours to create overlays). As far as I know, it also includes a server-side part that can detect aimbotters by checking their accuracy, something that doesn’t transfer over to Roblox efficiently.

I reported a leaked version of my game and Roblox refuses to remove it because, from what I understand, I have people in my team create.
I’m with Russian on this one, gotta enforce the rules a lot more to deter exploiters.