Recently an exploiter managed to affect my games performance by sending thousands of invalid requests to RobloxReplicatedStorage, which has all of Roblox’s internal remote events. This caused server performance to degrade as errors are expensive and when spammed thousands of times has a large impact on performance.
I expect Roblox’s internal remotes to be used securely with proper sanity checks, and when an exploiter is detected I expect them to be kicked to completely stop any sort of exploit attempt rather than just returning or erroring.
I’m reviving this thread because it’s still active and being abused to damage the statistics and performance of major games.
Here’s an example of how the vulnerable remote is being used to trigger a server-side error:
local RobloxReplicatedStorage = game:GetService("RobloxReplicatedStorage")
RobloxReplicatedStorage.RequestDeviceCameraCFrame:FireServer()
--[[
Server-Side Output:
13:47:28.841 Argument 1 missing or nil
Stack Begin
Script 'Script Context.ServerCoreScripts/PlayerViewCapability', Line 67
Stack End
]]
Vulnerable corescript code block:
-- CoreScripts/ServerCoreScripts/PlayerViewCapability.lua
-- Vulnerability is at Line 67
RequestDeviceCameraCFrameRemoteEvent.OnServerEvent:Connect(function(player, requesteeUserId)
if GetFFlagPlayerViewValidateRequesteeEnabled() then
local requestee = Players:GetPlayerByUserId(requesteeUserId) --Here
if not requestee then
return
end
...
Quick patch:
RequestDeviceCameraCFrameRemoteEvent.OnServerEvent:Connect(function(player, requesteeUserId)
if GetFFlagPlayerViewValidateRequesteeEnabled() and typeof(requesteeUserId) == "number" then
local requestee = Players:GetPlayerByUserId(requesteeUserId)
if not requestee then
return
end
