Recently, One of my Previous Team Members leaked my Clients game with the scripts, And its caused soem issues, Exploiters are making the game NSFW / Not safe for Kids, This is including Firing the Events, Playing Music, Morphing into (BAD NAME) Dolls, and then spawning as “John Doe”, This has been happening on the server side recently, How can I stop this?
basically, I cant find the event they are firing, But somehow they are firing it to the Server, These are Screenshots from this morning (under an hour ago)
I can’t figure out how they are doing this, Its only started happening since the raid started from phSalami’s Group, (hes been paying / bribing staff to raid it. Is this worth contacting DevRel about?
I have just about had enough with the Exploiters, They are wasting Hours of my time when Im supposed to finish the V2, Most of them are making their own Admin Scripts. and then adding Virus’s into the game.
In ServerStorage.FDCarSpawnerGui.Frame.ScrollingFrame.Script, it does not sanity check what goes in for an asset ID, so it can load anything in your group’s inventory. Not the biggest issue though.
Some of your scripts use HttpService. I advise you change the API keys for these so that exploiters can’t change their contents.
There are copies of scripts everywhere. I’m sure it’s hard to maintain them all.
One thing I saw is anti exploits on the client, all anti exploits should be on the server, not on the client.
Any exploiter can see, change or delete and local script code, so any kind of attempt to protect against on the client are null.
I’m also seeing hundreds of replicated scripts. Please consider using one “central” script or only a few scripts that control everything, instead of hundreds of scripts that do the same thing.
I’m struggling to find the exact cause. I found the following general issues though:
You have anti-cheat LocalScripts. An exploiter can simply delete them and go on with speed-hacking/flying. Turn them into regular scripts.
You have a lot of exploit ban traps around the game. Don’t do that; You’re just making your life harder. Use something like assert(condition == true) at the top of your functions with rank-checking and such, and remove those old RemoteEvents so you don’t have to keep seeing them.
AssetIDs are not sanity checked, which allows exploiters to break the game, if not load a full backdoor script. My favorite way of checking these is with a table of allowed numbers.
Scripts are copied everywhere, making it hard to fix any issues with them. Consider centralizing them a bit.
You have server scripts buried deep in your GUIs. These scripts do various server things. In general, GUIs should only serve as a human “interface” for a game, so I advise you only put LocalScripts in them, and have these LocalScripts fire RemoteEvents for their original purposes.
You’re using an admin script. These are huge, complex, and potentially have backdoors and vulnerabilities. You should try to disable as many admin functions as possible to reduce the vulnerabilities, or simply use no admin scripts from the Library at all.
Make sure to only give people the permissions they need to do their jobs, and revoke permissions from those that don’t need them. I see betrayals every so often, so this measure should reduce the chance of that happening.
I’m still digging through the scripts though. Possibly more issues to come.
Even if you’re going to use client AE, why not hide it? It’s named “Anti-Exploits”, a bunch of local scripts all neatly put in one folder that can be removed with a single :Destroy()
