Script Injection Vulnerability


Nevermind, after checking, it seems that all of those services are level 6, so even plugins can’t access them.
Although, still believe that Cmd Bar should be higher level than plugins.


The command bar (which uses LocalUserSecurity) has more privileges than a plugin (which uses PluginSecurity), and plugins have access to the CoreGui.

You might be thinking of some API members that are restricted to RobloxScriptSecurity, but that constraint only applies to certain API members, nothing crucial that developers need presently.

All of these constraints are available to see in my version of Roblox’s API Dump.


I have totally stopped installing plugins unless it’s made by me or directly linked by someone trustworthy in the devforums. I don’t trust anything in the actual library right now, but luckily I haven’t needed anything (yet…)


Oh, thanks for the heads up. I’ve never thought of this.


You could also look at the plugins source. I remember there was a way to be able to view a plugins source. Where Roblox Studio is installed there should be some .rbxm files (which are the plugins) somewhere, then you can load/drag & drop them into studio and see their source. I will check if this still works when I get home (I’m on phone). Also, this could be a plugin security issue. Roblox might of parched this a while ago.


I fixed this by using the follow code in the command bar:


It removes a hidden code called “?” which is encrypted module script. An exploiter found it on my game and so far no problems.


If the plugin is publicly available, you should be able to download them as .rbxm files using[id here]

Just remember to name it as an rbxm file because it saves as no type


Why only search Backpack? I thought the malicious scripts could also hide in other services like the CSG service, InsertService, etc.


Some of the scripts that i’ve found weren’t inside a backpack, but most of them were for some reason

split this topic #31

2 posts were merged into an existing topic: WIP Bugs / Features


Why does OP sound targeted towards the common form of injection that malicious plugins are using as opposed to place vulnerabilities in general? I don’t think the issue is Backpacks, it should pertain to how to locate vulnerabilities in general. Malicious developers are just going to change the method of usage (e.g. Folders, Models, raw script objects, etc).

The change specified is ideal, albeit my opinions on the subject matter. Backpacks and PlayerGuis shouldn’t even be insertable or creatable - what use case would someone have to do so? Folders superseded using these objects as containers for storage.


I think the post is referring to the Backpack’s functionality outside of a player or the workspace. Normally scripts won’t run inside of any services so I’d assume the backpack bypasses this.


Why, though? Change them to Folder instances.


Its not models though, its plugins.
Models can only affect your place at run-time, when you server starts.

Plugins run in studio whether you know it or not - that’s the issue.


It’s not a huge problem, just wondering. I use them because I like the icon in Studio :wink:

split this topic #38

11 posts were split to a new topic: Cannot find backdoor in my game


Thanks for looking into this! I really Enjoy Using Roblox and learning to script is always fun! Thanks for your Effort Roblox!


I think it would be an interesting idea where if a plugin wants to add a script to your game, it will give a popup (from roblox), stating where it wants to save to, allow you to view the code, and confirm/deny if you want it added. If you notice shady obfuscation or anything along those lines, you know immediatly to deny it. Just food for thought. I think it would help prevent many future instances that will try to add malicious code to hidden parts of your game.


I’ve got an Idea for how to prevent Users from seeing code like a modulescript, the dev can see the code it just hides it from the player by calling fuctions through remotefunction and remoteevent. Gotta develop it but I have school so after school I’ll create it! :wink:

split this topic #48

Please do not link/discuss specific malicious plugins or rule violations.