I know there are things like Filtering enabled and local security to keep a game exploit free.
but I notice that some players are still able to make changes to games.
I saw this myself on a youtube video as well as a few incidents in different games.
from what I understand they have visual access to scripts inside a game much like if they were viewing it from the studio. please correct me if im wrong and can I get some more information on how more serious “hacking” happens to games.
1 Like
Not to flex some self promotion but I wrote a post about some of this stuff a while back.
2 Likes
If you keep in mind some core principles, you can discover all of what is possible by extrapolation.
Principle 1:
- Clients are omniscient
They can see everything you can in studio and more, besides what is stored in server-only locations like the ServerScriptService or ServerStorage. They can also see the source code of scripts in Workspace, their player, ext.
Principle 2:
- Clients are omnipotent
They can change anything on their end. If they want to kill every other player, they can. However with filtering enabled, other players won’t see the same thing. They can hijack your scripts, rewrite them, or stop them altogether. To can also do things you can’t as a developer like cause specific types of communication never to be sent to the server (think: remote events / functions to warn server client is a hacker). They can even turn walls transparent to see other players.
Defending Against Clients
The golden rule for security is to never trust the client. This goes for website development, game development, api development, everywhere there is a “server”. The reason this section wasn’t titled “defending against hackers” is that a change of mentality is needed to truly secure server: no client can be trusted and everyone is a hacker. In a similar vein of reasoning, assume that everything that can go wrong will eventually go wrong.
With that in mind, clients exploit in one of two ways:
- Actions: ways to manipulate server state (remote events / functions, network ownership)
- Observations: breaking game rules by finding information that shouldn’t have known
To prevent action attacks, you need to follow the principle of least privilege and always validate client input. In addition, character models are naturally insecure because network ownership is giving to the client but most often just dealt with through periodic sanity checks on the server. They can push other players off the map, prevent death, speedhack, fly, no clip, ext. There are lots of topics on this forum about these attacks, and I’ve posted on many myself.
To prevent observation attacks, you need to keep any logic that requires knowledge of information the user should not be aware of on the server. For an FPS game, this would mean that wallbang shots cannot be validated on the client because the client should not have a player on the other side of the wall. The check must be performed client side. The same would go for cloaked players. In designing a maze game, only the visible sections should be present on the client. Unfortunately once a client has seen part of the maze they can store what it looked like, however if the maze was to change over time the updates would not be sent for non-visible sections.
Having properly addressed all of these security issues, your game will be secure. Note that many of these attacks probably don’t exist however are all possible. They also give a glimpse into what is possible.
PS. I should note that another type of attack does exist if clients have help. Games can get backdoored from free models or other developers working on the game. Bugs probably fall into this category of server-aided attacks.
7 Likes
Well, I going to assume that when you say “games” you mean roblox games, and not external ones like Call of Duty.
Mainly the serious hacking involves injection of some type of code that exploits (hence the common name we give to “hackers” being exploiters) a certain part of the normal roblox codebase allowing for unwanted actions from the player.
These injections are usually very hard to detect, and most often developers use server based Antiexploit scripts that check every action of the player. I don’t understand why Roblox doesn’t have their own anti cheat, but maybe that’s too much to ask for.
Roblox does check for common exploits like Cheat Engine, but that’s about it…
Basically these Exploits abuse Remote Instances that trigger poorly written Server Sided Code, and some Client Side Controlled Instances like Movement because of Network Ownership and UX but that’s about it, and also Asset stealing.
So your best bet is to ALWAYS do Sanity checks properly and your game should be fine.
Make sure you take ping into account for Player Input (Movement) and Time Based checks.
While it seems like Roblox doesn’t care about these issues they aren’t ignoring it.
Games like Apex Legends, Fortnite, CSGO and such also have cheaters so it’s not a unique thing to Roblox, it is what it is because they have control of their own Computer, but I can see that things will change with Google Stadia.
(Seems like I’ve repeated what everyone above said)
1 Like
Exploiters aren’t hackers. Two different things. Exploiter is derived from the word exploit, which means to take advantage of. Exploit(er)s take advantage of vulnerabilities in games or of the engine.
This assertion is wrong and unfounded, and Roblox does a lot more than that. I give insight on what Roblox is doing on the post I linked.