I am assuming most of you heared of it, since a week or so the populair paid lua executor “■■■■■” added some function called “Trigger Logger”.
In short terms this means that any cheater using this lua executor can now intercept the server events wich get triggered by the player.
This function is so powerfull, it fetches the arguments sent with the trigger. Currently we use salty tokenizer but sadly, this is completely useless since once you have triggered an event (legit not by executing it illegaly) you can see the token.
So basicly, this is how an “secure” server event looks like
TriggerServerEvent(‘rtp_casino:pay’, securityToken)
and trigger logger shows this:
Resource name | trigger name | [args]
and args will in this case be:
[“880c120f-1aed-4a8b-ae10-f35def7649a9”]
this is the full token, and with this token you can now execute the trigger over and over again, and since the token is valid, it wont ban you or kick you.
i was wondering if any of you know how to fix this issue since it is quite urgent.
Instead of adding all kinds of extra security with weird tokens make sure your events aren’t exploitable so even if they trigger them they won’t do any damage
Hmm, that would be useful for some resources like jobs but I honestly think it is safer to tokenize events. I do know it is possible to detect and kick/ban cheaters using this event logger, some server did patch it somehow but I would have no clue even how
Right, so basically I think we just need to add various checks in our server events to ensure player’s are only getting rewarded once they have done all the required actions for example… so even if an event is triggered, it won’t be exploitable
Along with input validation/sanitation for any arguments and what not