Security Issue with TeleportData

Hello, I have made a system a while ago where the games would send sensitive teleport data to each other (Within the server), with the :teleport function, but I just realized that they can be accessed with the client with the function: TeleportService:GetLocalPlayerTeleportData() Is there is anyway I can stop this?

1 Like

I don’t think so. Perhaps it’s worth expanding your focus as to why you need to send ‘sensitive teleport data’ in this way and whether another method is more suitable.

The client can’t manipulate the data, so I’m wondering what is so sensitive that you wouldn’t even want them to see it, given that the data is probably about them anyway.

Its not about the player, its basically a configuration with sensitive keys, etc…

What kind of sensitive keys? You should only provide the data that is needed for the client for the teleport, otherwise the sensitive keys and codes should stay on the server.

Cough This is why I want to disable client teleports, but apparently my use case is “not good enough”.


In any case, you’ll either need to use a security check via that TeleportData or not sensitive data via TeleportService at all. There is no other way to prevent clients from fetching data because, well, teleport data is sent alongside the client.

One workaround could be to save the sensitive data in a datastore with a random/temporary key and to transfer the key as teleport data instead of the data itself. Then, you can load the data in the new server and the client won’t be able to do much with a datastore key.

1 Like

So as I mentioned, perhaps it’s worth looking at other methods of transferring these sensitive keys. TeleportService was never meant for this. DataStores, MessagingService, server-side algorithm if your keys are generated, or another method (hard to suggest which is best without any more details on your use case).

If you are fixed on using TeleportService you might find yourself stuck in an XY problem.

1 Like

If you’re fixed on only using Teleport for this, you could encrypt the data you’re saving with a key only your server knows, and then get the data from the player and decrypt it.

It was different games, so I have created an API for it to save data between the different games. Thats all.

I wouldn’t rely on TeleportService when it comes to saving or transferring sensitive data either way. If I were you I’d look into using a separate service, perhaps setting up your own on a web server, and access it via API using a key known only to the server in those two games.

I can’t think of many other robust and reliable ways to ensure no data loss between the two games, other than obviously having them as two places under the same Game.

TeleportData is transmitted in plaintext by the client from one server to another. Any information you include, the client will have access to. You can either write your own encryption algorithm, or share it another way (such as through the use of datastores).