[Bug] skillcheck minigame exploitable #694
Comments
|
How should the skillcheck be validated with input? |
|
The only way to prevent abuse would be to check input through client resource scripts, not NUI. |
|
And how exactly would you validate this with NUI? Considering that the minigame itself is made and controlled by NUI. |
|
Generate the position (and key) on the client script, send that to the NUI so it can create the minigame and then let the client handle the correct input timing. The NUI would only need to generate the minigame based on the provided key and position information. The correct timing could presumably be handled on the client still as NUI messages should be mostly instantaneous so there shouldn't be many syncing issues. Making sure the key is pressed at the correct time would just be a simple timer based on how fast the minigame is and where the correct position is. If they key is pressed in the valid timeframe then they completed the minigame successfully. |
|
NUI isn't exactly as fast as you think it is. It takes several ms for an NUI message to be sent and NUI can hitch whilst the game continues. Not a reliable solution you got there. |
|
Sending the NUI message through JS seems to lower the message delivery time to close to 1-2ms on average from some short testing. Which I'm sure that could increase when NUI starts to slowdown (but I would argue that should only happen if people have poorly optimized UIs running). There's another exploit/bug with the current system (which is basically the same as the one mentioned originally) where one could seemingly keep the skill check active till they decide to complete it by hooking into and preventing the failure request being sent back to the script. And then only sending the completion request when they so wish, since there's no timeout or anything without the invoker implementing one themselves. (I'm sure you could technically create the UI (mostly) through native methods too if you really wanted. Small style changes would be fairly easy for users to make but major or "advanced" changes would be a little harder than they are now most likely. I don't think this is a good idea myself but I don't see anything that would actually prevent it). Plus, shouldn't NUI only really hitch when poorly optimized UIs are active anyways? And wouldn't NUI hitches/"stutters" also cause some issues for the user trying to time the skill check with the current NUI implementation, if the slowdown is consistent then sure but if it starts to fluctuate it would be a little confusing? My proposed solution isn't perfect but the current system seems far too easy to exploit, with no real way to fix it in its current implementation. I understand your reasons and concerns of not wanting to change the way it works but just thought I'd give my opinion and suggestions. |
|
You're welcome to take some time and write up your proposed solution as a pull request and provide validation testing / results for the team to review. |
|
Will do if I can find time. 👍 |
Describe the bug
The minigame skillcheck can be bypassed by intercepting the fetch request. This allows users to send a modified boolean value (true) for the skillcheck, ensuring they always pass without interacting with the UI. (tested on the latest version)
To Reproduce
Expected behavior
The skillcheck will always be validated without a single input
Video:
https://streamable.com/z286iv
The text was updated successfully, but these errors were encountered: