Why are remote events considered easy to exploit

Gaidlo · December 20, 2022, 5:16am

I assume this is because an exploiter’s client can fire them at will. Are there any other reasons for their insecurity?

DasKairo · December 20, 2022, 5:25am

Usually to Prevent this, i would have a ModuleScript that stores a code, so when firing a RemoteEvent, youll need the code to fire it:

module.Code = 1234

RemoteEvent.OnServerEvent:Connect(function(plr, code)
   if code ~= Mod.Code then
     return
   end
 -- 
end

RemoteEvent:FireServer(Mod.Code) -- or 1234

mniao · December 20, 2022, 5:27am

Unfortunately that doesn’t work since remote spies can see the arguments used on every FireServer or InvokeServer call.

DasKairo · December 20, 2022, 5:28am

oof

HugeCoolboy2007 · December 20, 2022, 5:30am

The “easy to exploit” portion of Remotes comes down to the lack of security on the developer’s end

mniao · December 20, 2022, 5:34am

There isn’t any other reasons really, an exploiter can call them and send malicious information, you just have to check the credibility of the information on the server, for example, if you have a remote that damages with a close distance weapon you might wanna check if the player is within a reasonable distance from the target with a magnitude check before actually damaging the target.

xZylter · December 20, 2022, 5:37am

I just want to add on to this, if you design client to server communication with the assumption the client is not being tampered, that is where issues occur.

Exploiters have access to all server to client communication and know what data is being passed through. With access to the local code they can use this to quickly interpret the data being sent and what each value means.

It’s best you approach client to server communication as the client is requesting the server to preform an action than to execute an action. Say a player is buying a new weapon from a store, to save the server some hassle you could check if the player can afford the item on the client first and if the client agrees send it to the server. But before the server gives the player the weapon the server should do this same check to make sure the client wasn’t tampered with.

Games with bad communication code would just assume the client is being honest at all times and it allows for exploiters to have very easy access to those weak links. Depending on what is available to exploiters it can give them a lot of control.