They do not bypass FilteringEnabled. Exploiters make use of security flaws that developers program into their game because the developers may not understand fully how the “don’t trust the client” concept works. Other than that, they abuse the special replication rules that are in place for instances that they have physics ownership over, such as their own character. There are/were also some exploits using the special replication rules around constraints, but these are being slowly patched out.
If you turn on FilteringEnabled and program your game properly with the “don’t trust the client” concept in mind at all times, the only exploits you should be seeing are ones pertaining to the exploiter’s own character, such as speedhacking, teleporting, noclipping, etc. If you do see other kinds of exploits while you have FilteringEnabled on, you can post about it in Development Discussion and maybe people can give you ideas on what you might be doing wrong.
Has this already been decided @JParty? If left alone, I’m not sure if ads/sponsored games would change, but I don’t know if there are already plans to factor these in or not.
Does this effect groups and clans, as games are shown on their pages, does this mean that group search will filter out groups with “experimental mode” games?
Will adverts for “experimental” games be shown to everyone? Below and above 13?
Related somewhat to question 2, if experimental games will not be shown to users under 13 on the front page, will this effect sponsored games? These show up on the front page.
Thanks in advance and I apologize if any of these have already been answered
Also, things like speedhacking, teleporting and noclipping can be monitored and prevented just through monitoring the player’s walk speed and whether they move position suddenly etc. Most exploits with a player’s character can be detected pretty easily.
ye my game is FE lol I was just asking out of curiousity
I wonder though, if this means that FilteringEnabled games do have a sort of incentive due to the fact that they are likely to get more out of their ads.
It is paramount that either Roblox creates a remote event/function system that can not be spammed with invokes from the client OR Roblox needs to provide a tutorial on securing remote events from DoS-type attacks and any other possible cheats/attacks on the system. Until that happens, forcing devs to secure their game by knowingly exposing a vulnerability that was not present without the “security” is kind of nonsense. Even the workspace is not safe if a remote event or function is pre-scripted to modify the world in some way and the attacker figures this out - they can simply invoke it. Even with careful consideration of facts like that to prevent such a scenerio, a spammed RE/RF can easily lag or crash a game.
Are you telling me spamming a remoteevent can crash a server? This post belongs in exploits then.
Unless the developer is doing some silly overhead for every single request.
And if you post it there, you must upload a rbxl file that shows this is possible. It sounds like developer error to me.
Just a quick & obvious question - Will games with only F.E. still not go into experimental mode? | Since I hear that a lot of good developers use extra security, such as having everything in serverstorage & accessing only through remotes.
^ Just making sure I know & remember.
Asking since Level 7 and some other exploits can easily get past F.E.
FilteringEnabled works by blocking clientside changes from replicating to the server and other clients. There is no exploit which can bypass this unless:
The developer’s use of remotes allows clients to abuse them (e.g. “Yes, I totally just earned 1,000,000 coins”)
It involves physics and the client has network ownership of the objects they’re simulating
It takes advantage of one of the holes intentionally left by the ROBLOX staff for legacy features, mainly with humanoids (but they are fixing this gradually as time goes on)
Some other extreme edge case which is not the case here
“Level 7” is real, but generally it’s something people who exploit like to throw around to sound cool. Level 7 means the client has gained privileged execution permissions for their own client – not the server. A level 7 exploit does not affect the server in a FE game because the clientside changes do not replicate. Exploiters will also enjoy boasting that they can exploit any FE game, but generally these boasts are bogus or involve one of the cases mentioned above.
If you have trouble with exploits in your FE game, ask in #development-discussion and we can help you improve your remote event/function security or redirect you to post an exploit report if its concerning a loophole ROBLOX intentionally left in – otherwise, you will not have FE security issues with your game.
