How exactly does this exploit work? (Dont actually tell me. It was just a nice question to make sure I knew I read the topic right) It sounds to me you guys are triggering unsecure trigger events from the client? Which if that is the case that would be 100% the developers fault for not doing client checks when the server event is triggered or the server owners fault for not being more aware of the resources they put into their servers.
For most of it, we’re simply using the built in CEF tools and executing JS posts that are clearly inside the client side scripts with zero checks.
The problem is, there was a post about esx_spectate MONTHS ago… right now, 292 servers are still using it. In that same post, mellotrainer was mentioned… 283 servers are still using it…
These aren’t the only ones affected by such an easy exploit. It’s obvious to spot.
Ah. Well thats pretty much the same thing as to using a tool to trigger events then. Its honestly just bad resources.
So FiveM is responsible for servers not paying attention to their resources and just because they didnt remove the resource or not allow the resource to be used on their servers?
Would have loved to see a post concerning the callback code in question compared with the code that can exploit it. Perhaps in one of your upcoming posts that you mentioned.
No. FiveM is in no way “responsible”. Responsibility is in no way anyone but the server owner’s. My response to FAXES pretty much is here, again
In laymans terms : The server owner should’ve read the code and simply realized hey, why does this client side script have kick features?
The main cause to this is rushed scripts. Some people just have an idea, do it as fast as possible, and just post it.
Well I mean FiveM is an open community where sharing is everything no matter if the resource has issues or not. When I say “Responsible” in the original topic he talks about getting rid of certain resources as a “patch” which is why I thought you guys were trying to say (since you both are doing the same thing) that FiveM not “patching” this is a bad thing but going further most of the FiveM server owners dont even know what code is (I dont know why they are an owner at this point. dont ask me as I got no clue why) but going on I honestly doubt anything is done to those resources that are allowing such exploits. The server owners or even the devs should have been more aware on the forums when people started calling out MelloTrainer the first time. Especially if they aren’t the type of owner that can write code and check resources before implementing and if the person installing resources is unaware these issues can happen on bad resources they DEFINATELY shouldnt be in charge of installing them 
Well, in our official unofficial hamcord unofficial official server, we essentially say hey, here are vulnerable servers (memeable servers) that we’ve been on and a channel for hey, how do I fix this.
[quote=“ioerror, post:1, topic:342594, full:true”]we went around to every server with this vulnerability and kicked the entire server with a message displaying our discord, which had channels in it explaining how to fix it.
[/quote]
Weird, cause when this happen to the server I play on, all we got was a message that said HamMafia and then a few racial slurs.
It’s adorable that you think you’re some white knight hacker though.
1 Like
I believe a few of you have the wrong idea about the message behind this; we did this to bring awareness to the community that this sort of thing can happen and will happen when you’re not being smart, as well as to have a basis for which to write a series of informative threads off that will benefit the community in the long run. Not everyone here is a professional full time developer and that is OK 
. It is important that people in the community are exploiting with the intent to better understand the security of this platform and informing others of its flaws so that the developers can either patch these issues, or server owners can implement their own fixes. Posting a big topic entirely based on these ideas including best practices with examples later for the purpose of education, not for the purpose of discussing my own moral compass. I’ll link that here when it’s up.
Yeah. I mean there are a lot of people here on the forums that arent even developers irl and can understand the basics to be able to check if a resource has server event check issues.
The FiveM platform is not the issue. You guys are just exploiting servers. The base platform isnt even being touched. Basically if you think going around and kicking people from their servers is helping then I believe you guys have the wrong idea… You guys 100% knew that the exploits were gonna work on their servers. Why use the exploit instead of just contacting them and helping them fix it. While I understand you guys are making an attempt to fix servers that have flaws at the same time you guys are ruining their experience as a whole.
I never said the issue was with the platform it’s self, but in reality it is an exploit through tools given to us by the FiveM platform. Why not just tell them? We’ve tried, and this was far more fun. Again - this is not a discussion about the morale compass of myself or the others associated. This topic was created to inform others of a flaw, take the information and use it or don’t - that’s up to you.
You said “the security of this platform”? I must have gotten confused.
Correct, referring to the platform’s use of lua as a base for developing your own custom experiences.
Lua is not the Base language on FiveM? Its just the most used as its easy to learn but they have other languages like C# or JS/TS that will have the same flaws if it doesnt have protected events.
I thought the CEF debugger was the issue not the language the resources were written in?
You’re totally correct, all of these other languages can have exploits deriving from bad server to client communication practices, and you are also correct in saying it’s not the specific language being used. The CEF debugger enables this to be done easily, but this ( pardon my French ) shitty coding also enables tons of other exploits, hence the follow up thread I’m writing explaining the root of the issue and how to actually fix the problem in more than one way.
Cool. I will be reading it.
More detailed topic made