Roblox security and hacking


  • Sometimes I join one of my games and I find a hacker flying around killing people. This can be very annoying problem for most developers. I have tried local and server side protection that prevents hackers from deleting anti-exploit scripts but they still find their way through it. Occasionally they actually bypass Filtering Enabled and start messing with core gameplay scripts! Use this topic to post some Anti-Exploit scripts to help some less experienced dev's. Also does anyone else experience this problem or is it just me?


  • @lolapus4

    1. Secure your remotes.
    2. Do sanity checks on the server.

  • If you've programmed properly, they can't mess with core gameplay scripts. That's on you.


  • I think the problem is the naming of the scripts. For example, a developer would name an anti-exploit script, "Anti-Exploit Script".
    My solution is naming the scripts weirdly, so the exploits suspect it to be a normal script. If you were to make a local anti-exploit script, put the script into a Gui Instance (or any local Instance) and naming it, "Gui Handler".

    I don't really know, it's just my opinion.


  • @thesit123, that's stupid.


  • @thesit123, that would be obfuscation. Security through obscurity never works. What if one day you decide a change needs to be made but because of the poorly named scripts you might confuse even yourself. Also exploiter can just look at the script despite being poorly named.


  • @thesit123 whatever the client can see, they can mess with. Also, that's an awful idea: renaming your scripts will do jack.


  • @lolapus4 They can't directly bypass FE, they take advantage of things that the server lets them do. For example, if you have a remote that transfers money to another player like

    --NEVER USE THIS
    remote.OnServerEvent:Connect(function(p1, p2, amount)
    p1.Money.Value = p1.Money.Value - amount
    p2.Money.Value = p2.Money.Value + amount
    end)
    

    and assuming the server checks the types of the arguments, a hacker could steal money from a player just by doing remote:FireServer(otherPlayer, -1000) to get themselves 1000 dollars. The solution to this problem is to check that the amount of money being sent is more than 0.

    You shouldn't rely on local side protection, as hackers can just remove it and/or modify a script and remove the anticheat out of the script.

    Flying is a hard issue to take care of, since the default movement system relies that the client is the network owner (handles the physics of the character, which also allows people to teleport the character) and, if you set the network owner to the server, when the client tries to start moving, the character won't move until the server receives the request, moves it, and replicates it back to the client.

Log in to reply
 

Looks like your connection to Scripting Helpers was lost, please wait while we try to reconnect.