Unkickable Player?

I’m not really sure how to describe this, or even show it … so, I’ll do my best.

It seems someone has discovered how to create a connection to the Server without ever having a Player Instance created. This is causing some problems in a game I manage, cause they keep joining and causing havoc, but I am unable to use Player:Kick cause the Player Instance doesn’t exist in the first place, only the ServerReplicator. Has anyone experienced this issue before, and have any idea on how to deal with it? Cause I have absolutely no clue on how to deal with this issue :confused:

EDIT: just wanted to thank @MathematicalPie for giving me the information I was able to provide.

So, to be clear, the ServerReplicator method ::GetPlayer() is returning nil?

Yes. They have absolutely no Player Instance, but do have a ServerReplicator under NetworkServer. I have absolutely no idea have to combat this, as I can’t get a LocalScript on them.

EDIT: If we have ServerReplicator:CloseConnection() unlocked, that would solve this problem. Or, ROBLOX could patch the bug, but I don’t think it would be an easy patch.

That’s… unusual. There is actually no way to combat that, then… You should probably put together a post in the bug or exploit section, because this is concerning.

EDIT: Although there shouldn’t be a way for them to manipulate the server unless they’re able to spawn in server scripts, so it should be a big deal.

I think I have a solution, however it will take a while to generate a report. If it works, I’ll post my solution.

As for the bug report, I … don’t know what else to say but what I’ve said now.

Move this to Client Bugs.
Some ROBLOX employees only read that section…

I moved it to Client Bugs, and gave it a “critical” tag. I don’t think it qualifies for “roblox_critical”, and I’m not too sure how that works anyways. Hopefully, they’ll pick up this thread … however, I don’t know what else to provide in this case.

I’ve seen this happen before (on the old rbxdev, can’t find the post); they can be detected but they can’t be kicked. I don’t think this is a very popular exploit though and not many people have it.

You said ‘causing havoc’, right? But if they don’t have a player Instance, and thus nowhere to run local scripts… are they able to create server-side scripts? What’s letting them cause havoc? What are they doing?

Using external programs, such as RC7 or CheatEngine. Yes yes yes … This can probably be solved by using FilteringEnabled, but I don’t have developer permissions for some of the games I manage, and this is causing serious issues. This is what I understand of it so far:

Any Lua State which isn’t identity 2 is able to get the metatable for the game variable. This allows them to do some interesting hacky stuff such as destroying the Player instance and have ServerReplicator:GetPlayer() return nil.

I could be wrong, but I’ve had some friends look into it. I’ll not sure if he can reply here, but @Pkamara should know more.

:confused: You’d think that ROBLOX would make ServerReplicators auto-disconnect when they didn’t have a player, wouldn’t you?

Anyways, thanks for looking into it for me, despite me having nothing to contribute to the discussion. I would hope that some admin sees this relatively soon, and I would totally ping one if I knew who to talk to for this sort of thing.

Ok, I’m adding in some changes to potentially stop this type of thing from working. The game join process is a bit odd, so it is possible to get into this state.

The server should already ignore attempts to parent Player to something that isn’t Players.