Roblox's Got Talent Backdoor Issue (In need of major help)

Greetings Developers,

I’m flvurry, a Developer for Roblox’s Got Talent along with the other developers, @o5ls and @Prqcious. Recently, we’ve had a major issue with a backdoor in the game and YouTubers are posting all about this.

:link: https://youtu.be/P0Azcg_Loj4

There’s been tweets going around twitter of our issue. I’ll explain the issue below, please read.

A backdoor somehow got into our game and we don’t know how. It’s most likely a plugin as we’ve ran backdoor tests numerous amounts of times and came up with nothing. We believe it’s a plugin that’s doing all of this, but we’ve scanned our plugins and have came up with nothing. We have also deleted our plugins to test it as well. The issue with this backdoor is that it will begin to teleport players to another game and will make people mad at Roblox’s Got Talent.

This issue has been going on for months. We are in need of help as soon as possible. If anyone can please comment below or add me on Discord, I’ll leave my username and tag below.

My Discord username: flvurry#0015

Thank you for reading my post, and have a wonderful rest of your day.

Signed,
flvurry

2 Likes

I recommend pressing CTRL + P and searching for ‘Script’, this’ll find every Script in the DataModel.
It might take a long time to search through all of them, but you may have a chance of finding it.

Thanks! I’ll be doing that now.

1 Like
  1. Are you experiencing any specific errors in the Output?
  2. Are the places to which your players are teleported random, or is it consistently the same place?
  3. Have you scanned your plugins’ source code for any mention of TeleportService?
  4. Have you ensured all of your plugins are from trusted developers and are not malicious plugins copied from the originals?
  5. Have you used a plugin to search for Scripts placed in singletons that don’t normally show up in the Explorer?
  1. None.
  2. Consistent place.
  3. Yes.
  4. Yes.
  5. No.

If your plugins are confirmed as secure, it’s likely that a script is teleporting your players. Try using the place ID (which you can find if the place link’s been reported to you) and searching for any scripts containing it.

2 Likes

I would check out @ReturnedTrue’s suggestion, that should help. Removing your plugins after the deed is done would not get rid of whatever script is causing this. I’m not sure how obfuscated the teleportation is but you could give searching all scripts (FindAll) for TeleportService a shot.
image

1 Like

Whenever the exploiters join the game, I believe there’s a panel they get and can teleport people.

1 Like

Full screen of their GUI: https://media.discordapp.net/attachments/657737684885962762/665603269825003574/unknown.png

1 Like

There are four keywords that you should be wary of in scripts. Use Ctrl+Shift+F and search for each of them.

  1. require
  2. getfenv
  3. setfenv
  4. loadstring

require when passed an asset ID executes a ModuleScript from the Roblox website. For example, require(188852776) loads one of my scripts. Many exploiters abuse this to load whatever they want into servers, so keep an eye out. However, it’s safer if it looks something like local MyModule = require(game.ReplicatedStorage.MyModule).

Though exploiters will often try to hide that with a getfenv call, which grabs the table their script runs in, all Lua functions included. The table is then used to obfuscate a require call or whatever, so a simple search won’t find it. Game scripts almost never need to use this function, so if it exists at all in your game, that script is probably the backdoor.

Related is setfenv, though it works in reverse.

And then you have loadstring, which can execute any string as if it was a script, though it’s disabled by default.

Oh. And be wary of this kind of pattern:

lilililil = require
2 Likes

Just out of curiosity, is your admin script in house or something made by someone else? Because, if they’re using infinite yield to teleport people it sounds like an un-secure remote not a plugin. Unless one of your plugins are strictly made to work with infinite yield in this manor; How-ever some admin scripts have the capability to run commands, that are input on a client gui like a hidden console, and that could be getting abused.

1 Like

Adding onto my post:

The backdoor isn’t in the game that we’re making edits to, it’s in the game that we’re publishing from.

For example: We’re using the Debug version to fix bugs and then have the Owner publish it to the main game. We aren’t sure if the Owner is the issue that’s having his plugins or something going wrong.

2 Likes

Threads like this appear on a very frequent basis and developers “believe” that they’ve resolved the issue or they can’t find traces of the backdoor. If this was the case, then there wouldn’t be an issue to begin with. You need to vet your plugins several times over and check through code for any foreign elements you know you did not put there yourself.

2 Likes

Thanks for the help everyone! We believe we have found the issue and removed it.

flvurry

1 Like

Are there any takeaways for the rest of us? What gotcha?