Uploaded image for project: 'Minecraft: Java Edition'
  1. Minecraft: Java Edition
  2. MC-253888

Messages that servers have tampered with through chat reporting are signed and reportable


    • Icon: Bug Bug
    • Resolution: Fixed
    • 1.19.1 Pre-release 5
    • 1.19, 1.19.1 Pre-release 2
    • None
    • Plausible
    • Social Interactions
    • Normal

      Originally detailed in MC-253521. Although 1.19 does not have chat reporting, tampered messages still show when "Only Show Secure Chat" is enabled, so the bug exists in that version as well.

      When a player with chat preview enabled sends a message, the client signs the chat preview, not the originally typed message. A malicious server can control the chat preview to make the client sign an incriminating message, then report that message. Even though the server has tampered with the message, other players do not see any indicator that the message has been modified.

      Here's how the exploit works:

      1. Player types message
      2. Server modifies the chat preview response in a sneaky, hard-to-detect way
      3. Player sends message without realizing it has been edited
      4. Client signs the chat preview response
      5. The original typed text and the signature of the chat preview response, but not the chat preview response itself, is sent to the server
      6. Server formats the original typed text to be the same as the chat preview response
      7. Server sends the formatted message and signature to other clients
      8. Other clients verify the signature and mark the message as secure
      9. Malicious player reports the modified yet secure message

      Code analysis:

      • When the player presses enter to send the chat message, ChatScreen#handleChatInput(String, boolean) runs
      • ChatScreen calls LocalPlayer#chatSigned(String, Component) with the originally typed message and the server-controlled chat preview response component
      • Then in LocalPlayer#sendChat(MessageSigner, String, Component), the server-controlled component (from the preview) and only the component is signed
      • The originally typed message and the message signature is sent to the server

      There are many ways servers could trick users into sending modified messages in step 2:

      • Abuse the fact that players often use muscle memory to type short phrases like "lol", "gg", or "F" (see lol.mp4)
      • Modify the start of a message while the player typing is focusing on the end of the message (see bee.mp4)
      • Use hard-to-see colors in the chat preview to make it difficult to visually see the edit

      There are other ways for servers to modify the chat preview that are either extremely hard or impossible to detect. I will create a private report with details.

      Adding a warning screen notifying players that they are responsible for what is sent through the chat preview is not a solution for a couple reasons:

      • Younger kids and people with the game set in an unfamiliar language will click through the warning without reading
      • Detecting server tampering is either impractical (requires stopping after typing every single message and carefully checking if the message has been changed) or impossible (see the private report)

      How to protect yourself:

      Go to Settings > Chat Settings > Turn Chat Preview off

        1. bee.mp4
          5.57 MB
        2. IMG_0684.jpg
          741 kB
        3. lol.mp4
          5.42 MB

            xilefian [Mojang] Felix Jones
            Tis_awesomeness Tis_awesomeness
            16 Vote for this issue
            25 Start watching this issue