Player.Chatted fires an event with the parameters message and recipient. As described on the Roblox Developer site, recipient is set to nil if the player was not whispering to another player, but contains a Player instance when the message is sent in whisper chat. This event currently fires on all clients regardless of the intended recipient.
Recently, a lot of exploits have surfaced, some of which that allow the exploiter to listen to the Chatted event to spy on peoples in-game conversations. Players on the platform have the belief that using the whisper chat is a means of private communication between themselves and their friends.
Due to this, players often share personal information via whisper messages, which currently can also be viewed by exploiters. Exploiters may use this information to then intimidate players, potentially making players feel scared that their personal information can be accessed by someone random.
Roblox server should check the recipient argument and only send the event to the intended recipient if there is one, instead of broadcasting it to all clients.
Sorry, but I wholeheartedly disagree with this. I use the Chatted event to log messages in my game to detect if players were being abusive with the chat system.
I personally believe that, with messages being completely private, that it’d cause greater harm than good; as I could not have my game moderators deal with abusive players exploiting the chat system to say demeaning things to my players without being able to actually confirm said interaction happened.
Going with the post above a simple fix would be to only fire Player.Chatted with whispers on the server rather than both the server and the client. That would prevent exploits from logging whispers and would allow developers to log chat. As for sharing private info that should technically be for the filter to do its work (Seeing as how it filters almost everything I’m not sure what secrets players could send to each other).
The main issue I am wanting addressed here is with regards to exploiters having the ability to view these types of messages. This shouldn’t replicate to other clients, if they’re not the intended recipient.
I can see a legitimate interest to process information from the whisper chat, if that’s for moderation or otherwise but that should only be accessible via the server, and not other clients. That’s the main point I am wanting to address here.
To answer this a bit, although the Roblox chat filter does a lot to filter potential personal information, we still often see players sharing personal information such as Discord tags, their age, etc.
See, for the current state it’s in, I just put LocalScripts in game moderators’ PlayerGuis that listen to these chatted events, as I would just be unnecessarily adding on latency if I were to have the server just send it back to me anyway. Also, the extra latency applied to just having the server send back this data to me would be undesirable, as it’s really dependent on game performance which really fluctuates a lot (replication always goes before this RemoteEvent stuff). I forgot to mention that, the Chatted event never shows the recipient and that that part has been broken for ages (always shows nil).
See, for the current state it’s in, I just put LocalScripts in game moderators’ PlayerGuis that listen to these chatted events, as I would just be unnecessarily adding on latency if I were to have the server just send it back to me anyway.
What extra latency? There is no difference between the server sending chat messages to everyone via the .Chatted event and you manually replicating it to moderators through a RemoteEvent. The few bytes of extra overhead are completely insignificant compared to the thousands of bytes sent every second for character movements and other things your game does in the background.
The correct way to handle this in your case would be to catch the event on the server and send that information to your moderators specifically, so that exploiters have no way to eavesdrop on private conversations. The recipient parameter being broken is not a reason not to patch this vulnerability and should be fixed alongside of this.
My point was that just checking it another time is pointless, as it’s checked already. Every bit matters when Roblox servers run on Pentium D-esque processors. Also, many games currently rely on this replication behavior, so I believe this should not be culled.
I 100% agree it is an issue however - the purpose of the feature is clearly to keep chats private + there should be no way for people to bypass the point of it.
This issue can be solved by modifying or adding another chat module to only send a FireClient to the exact recipients if it’s a whisper message and to also disconnect the client and server from using/firing the player.Chatted. However, it is right that I believe server side chatted should receive all messages but client sided chats should only be receiving public or it’s own whispers.
I agree that a whisper message should be private. Although the previous post provides a workaround, I don’t subscribe for allowing bad behavior to continue for the sake of not disrupting the apple cart. Better default security options should be employed whenever possible, and this appears to be a no brainer. A boolean or property to change the default if need be can be provided, but as a user I’d just assume all communications are public. Educationally promoting good computing practices takes time and since most people on Roblox are kids we can’t assume they know any better.
This was reported back in 2017, but hasn’t been addressed yet. I believe that this is an important issue that needs to be addressed, as it affects the user’s privacy.
The server is already the one firing the remote to the clients. Whispers are not peer-to-peer. A peer-to-peer system would actually make IP grabbing possible, which is a big no-no
There wouldn’t be any added latency (It would actually reduce the amount of outgoing requests from the server, albeit by a negligible amount), as the server is already the one sending the data. All the change would do is prevent the message from being sent to non-recipients. The chat script can also be modified to add moderators as recipients.
This check would equate to iterating through the player list, and only firing the remote for the players that need to receive the message. It is not that demanding, and the impact to performance would be nearly impossible to detect, as other factors contribute way more to the hardware resource demand.
I think there would be a way around this. As Roblox sends the event to the server, which you can grab by attaching a remote to it in the MessageSender under Chat, or just grab the default Chat RemoteEvent from the server.
How it currently goes: Client sends Message > FireServer > Server handles request > FireAllClients > Client finds if it’s supposed to be responding to that Remote
Which this allows the client to snap onto any messages getting sent and from who, including whispers. This is how I think it should be done: Client sends Message > FireServer > Server handles request and decides if it should be sent to one or more users > FireClient / FireAllClients based on if it’s a private or public message > Client adds it to the chat
With this you could still hook the server on the Remote, still getting every message, whisper or not, which then you could still create your message logging system like this.
Like sure the exploiter could just replicate the Message Logging system from your Moderator’s UI but that’s not for us to worry about, that’s on you for detecting that yourself. As this security check would be a helpful change for everyone and impact the few that use it for legitimate purpose. Stopping those who misuse it completely and making it so the people who use it correctly simply have to change it’s done.
tl;dr: This is much needed. It will remove chat spy exploiters and will add simply an extra, but necessary, security step for those who use it correctly for messaging logging for administration purposes on their own games.
I agree; Roblox could fix this quite easily. Just make it so LocalScripts cannot access Player.Chatted without remotes. Reply to me if there may be any issues with this little fix of mine.
