The reporting function in the new version has serious security vulnerabilities and may be maliciously exploited.
https://www.minecraft.net/en-us/article/minecraft-1-19-1-pre-release-1
It's in this passage above.
It can be seen from decompiling the game source code that the newly updated version of the report is to encapsulate the UUID and information content after the report, upload the reported information to mojang, and then have the staff review and ban the account. Therefore, a problem arises. Any mod coder can write a simple mod and replace its own with someone else's UUID. In this way, the information sent by the client will be considered to be sent by others. Since the UUID is public, any bad person can take advantage of this vulnerability to send illegal information in the name of others, resulting in the blocking of other people's accounts.
I think the solution is to add a token when encapsulating information, just like the online mode verification of the server, to avoid malicious attacks on other people's accounts.
Comments 6
@unknown meant creating a chat report in this manner, i.e. the described vulnerability doesn't exist.
I think it's wrong, I can make a mod that replace my UUID with other's UUID, then I say something bad, because Mojang's server only gives a RSA token, but any mod coder can code a mod to replace UUID.
Creating a report in this manner will generate an invalid report.