What is an Exploiter able to do and is my script Exploitable?

What I’ve Been Told

I’ve been told that RemoteEvents get their UserId through locally or through the Client. I am also told that Exploiters can access another clients PlayerGui Folder. Apparently, exploiters can use something called debug.profilebegin to access another clients PlayerGui Folder.

My Scripts

My scripts are designed to make sure anyone who isn’t under the Admin ID list can’t get access to these controls or even if they get access to the controls themselves, every time a button is pressed… it checks to see if the users UserId is equal to one of the adminIDs.

Improvements/Wants

I have nothing to go off of to know what I can improve on but I want to make sure that my code is unable to be exploited against me.

My Question

Is my script secure and not exploitable? What else do I need to know?

Command In Action

--Made By MillerrIAm
-------------------Variables------------------
Event = game.ReplicatedStorage.ColorEvents.ExampleEvent
adminCheck = require(game.ServerScriptService["Scripts|Admins"]["ModuleScript|AdminCheck"])
------------------Main Script------------------
Event.OnServerEvent:Connect(function(plr,function1,function2)
	if adminCheck.Activate(plr) then
			
	end
end)

Admin Module

--[Made By MillerrIAm]--
--------[Variables]-------
local player = game:GetService("Players")
---------[Admins]--------
adminIDs = {678299,4947564}
--[[UserIds in order = {"MillerrIAm" = 678299,"NemesisY2J"}]]
--------[Main Code]------
local adminCheck = {}

function adminCheck.Activate(plr)
		for i,Admin in ipairs (adminIDs) do
			if plr.UserId == Admin then
				print("Admin Started")
				return true
			else
				return false
			end
		end
	end

return adminCheck

If this is the wrong place to put this, please tell me.
Thank you for any feedback you give me.

2 Likes

What you’ve been told is already concerning. Where did you hear this? RemoteEvents get their Player object on the server, so the Player argument isn’t something that can be spoofed. Also, exploiters can’t access other players’ PlayerGui, because that’s only on the other person’s machine and not even the server.

If your admin checks are being done on the server, you shouldn’t have any issues.

5 Likes

I will not disclose this person’s name for privacy reasons but as of what this person states… it’s possible.
This person has yet to show any proof yet but this person believes this to be possible.

It’s not possible. If people were able to spoof their client for remotes or view other player’s PlayerGui (which aren’t even physically present in others’ machines) there’d be some really big issues for all games.

1 Like

Hello, if you’re still on… I found the message that contained what was needed to access another persons PlayerGui.
image

debug.profilebegin and debug.profileend are functions for tracking script performance and such. I’m sorry but your friend is either pulling your leg or wildly uninformed.

4 Likes

@Autterfly, @MillerrIAm, The PlayerGui is accessible by the server (Play Solo for proof), so if you have any remote event backdoors either directly, with loadstring() or the case a a Lua Virus(which is found in free models and sometimes, plugins) then yes, they can change another Player’s PlayerGui, but if the above conditions aren’t met, they can’t do anything to other player’s PlayerGui. As for the Player Arguement, it is added internally by roblox, and as far as I know, exploiter can’t do anything to that property.

Well, not quite. Instances put into StarterGui only replicate to the player’s PlayerGui. Even if you had server-side code exec, you still would not be able to access those instances from any player. The server is only able to see instance your scripts put into PlayerGui, but those put from StarterGui into PlayerGui are not replicated back to the server.

The PlayerGui and StarterGui is visible, but anything made in a Local Script won’t replicate, the server can do a lot to the PlayeGui actually, (if you look at the explorer in the server mode when playing solo, you will find the PlayerGui, and changes you make on the server will replicate), however, the Server should never touch the PlayerGui, the client should handle that.
Edit: just for clarification, the PlayerScripts isn’t visible to the Server (which makes sense cause the Server Shouldn’t touch LocalScripts)

That’s very interesting. The old behavior used to be that the StarterGui only got copied locally into the PlayerGui, and not back to the server. After some testing it seems that’s changed, so it’s correct to say the server could interact with it. However, any changes to it from the client still don’t register back, so there wouldn’t be too much use I believe.

Your setup for checking admin is perfectly safe.

The first parameter of OnServerEvent is secure - they cannot send you OnServerEvents pretending they are different players.

However! The other parameters can, and frequently are, tampered with.

Validate those!

3 Likes