Warning: LocalScripts ran by exploits can alter .Touched() parts server side

xLawOut · June 16, 2019, 4:37pm

If you’ve been out the loop of ROBLOX’s Sword Fighting community (linked swords), let me introduce you to the common sight: Reach exploits

How it works:
Basically, all you do is run a short script to resize the sword’s handle and go on your merry way, killing people from miles. Now, this looks like a simple issue targeting only a portion of the community, except you can actually resize any part with a .Touched event and it will replicate server side, which means other people are also affected.
You could simply go to Natural Disaster Survival, resize one kill brick to something huge, sit back and watch as the whole server dies. Thankfully, the resized .Touched fires only once, but this is not the case for the linked sword, as it runs a touched event over and over. This is a serious security flaw and it’s been a thing for years.

This is probably the wrong section, but I cannot post it anywhere else, so here you go. This is currently unpatchable by the way.

Darkmist101 · June 16, 2019, 4:51pm

You’re suppose to do magnitude checks to combat this.

goldenstein64 · June 16, 2019, 5:04pm

If you want to post in a section you don’t have access to, you can follow the Post Approval Procedure, outlined in Rule 15.1:

With that out of the way, this is a cool resource, but I wouldn’t exactly know where this can go because it can’t go in #learning-resources:community-resources because of how specific this post is and how little information is here.
If you are able to generalize this post a little more and add more information, like how to combat this, because it actually is patchable with magnitude checks, like @Darkmist101 said, you might be able to get this post approved.
The only other place I can think of putting this post is in #platform-feedback:engine-bugs, but that will require a little different format as well. Just read the “About the _ category” topics at the top of each category, see which one fits the purpose of your post best, and just format it correctly based on the chosen topic’s requirements. Then, you can follow the Post Approval Procedure to land it there.

Kiriot22 · June 16, 2019, 5:48pm

This has been the case for as long as I can remember. In order to combat this, you can add sanity checks such as some distance limit for dealing sword damage.

Exploiters are able to do more than this too. It’s possible for them to fire Touched or TouchEnded for any part in your game, without actually touching it or even being nearby.

posatta · June 16, 2019, 6:11pm

This is because of automatic network ownership. Physics for unanchored parts that are near a player, or tools that a player has in their character will be handled by that player. This is for latency reasons; this is what it would look like if you had the NetworkOwner of the tool set to the server rather than the player:

short video

https://gyazo.com/7c9afc4b9f4ae4c7d2019b7a43937f2d.mp4

It’s easier to tell how painful the difference is when you’re in-game, but you can see the movement delay between the animation beginning to play and when the character actually moves.

buildthomas · June 16, 2019, 7:55pm

buildthomas · June 16, 2019, 7:55pm

Wrong category, please use post approval