Originally detailed in MC-253521. Although 1.19 does not have chat reporting, tampered messages still show when "Only Show Secure Chat" is enabled, so the bug exists in that version as well.
When a player with chat preview enabled sends a message, the client signs the chat preview, not the originally typed message. A malicious server can control the chat preview to make the client sign an incriminating message, then report that message. Even though the server has tampered with the message, other players do not see any indicator that the message has been modified.
Here's how the exploit works:
Player types message
Server modifies the chat preview response in a sneaky, hard-to-detect way
Player sends message without realizing it has been edited
Client signs the chat preview response
The original typed text and the signature of the chat preview response, but not the chat preview response itself, is sent to the server
Server formats the original typed text to be the same as the chat preview response
Server sends the formatted message and signature to other clients
Other clients verify the signature and mark the message as secure
Malicious player reports the modified yet secure message
Code analysis:
When the player presses enter to send the chat message,
ChatScreen#handleChatInput(String, boolean)runsChatScreen calls
LocalPlayer#chatSigned(String, Component)with the originally typed message and the server-controlled chat preview response componentThen in
LocalPlayer#sendChat(MessageSigner, String, Component), the server-controlled component (from the preview) and only the component is signedThe originally typed message and the message signature is sent to the server
There are many ways servers could trick users into sending modified messages in step 2:
Abuse the fact that players often use muscle memory to type short phrases like "lol", "gg", or "F" (see
)
Modify the start of a message while the player typing is focusing on the end of the message (see
)
Use hard-to-see colors in the chat preview to make it difficult to visually see the edit
There are other ways for servers to modify the chat preview that are either extremely hard or impossible to detect. I will create a private report with details.
Adding a warning screen notifying players that they are responsible for what is sent through the chat preview is not a solution for a couple reasons:
Younger kids and people with the game set in an unfamiliar language will click through the warning without reading
Detecting server tampering is either impractical (requires stopping after typing every single message and carefully checking if the message has been changed) or impossible (see the private report)
How to protect yourself:
Go to Settings > Chat Settings > Turn Chat Preview off
Attachments
Comments 11
This is the intended design of Chat Preview. 🙂 The preview feature was designed with the Secure Chat system in mind- it is a part of the core intention of the feature that the server-modified messages can be signed by the sender and not appear as 'Not Secure'. A lot of custom servers depend on being able to modify chat message content and styling, which is very much incompatible with chat messages being signed on the client- Chat Preview is essentially the solution to that problem.
As a user, through the warning screen and through experience with the feature, it should become clear that when you send a message that has a preview, what you send in chat will be what is previewed. It's not necessary for users to understand the Secure Chat system or cryptography to know that what shows up in chat after you type it will be what you are held accountable for (whether that is through the global chat reporting tool or otherwise). As is the case before 1.19, it's reasonable to assume that if a server is modifying a player's messages through chat preview, that player will lose trust in that server.
As also mentioned by Marcono1234, there is a period of time after receiving a preview before which the preview will not be signed. This gives players time to react to a potentially malicious preview received from the server.
I think it is understood that this is the intended behaviour of the feature, the problem is that the intended behaviour seems inherently flawed and exploitable by a malicious server.
Yes, if someone realises that their message is being modified, they will probably not want to play on that server anymore but by the time they realise the message they sent has been modified, it is likely too late. If a malicious server owner was to make an innocent player say incredibly vulgar, disgusting and potentially illegal things, the innocent player is now responsible for those words despite not actually meaning to say them solely because their message will be signed.
You also haven't really addressed the fact that people will type messages based on muscle memory or that if someone is focussed on typing a longer message, they may not even notice that certain words in the message have been changed. You might personally proofread every single message you send in game but that is certainly not the case for many people.
Obviously as someone not working at Mojang, I don't have access to the absolute latest information about the report system but as the system is in the latest prerelease, you could have a completely innocent player sending messages that could be reported by every other player in the server and because of the level of the stuff said, may lead to them being banned.
@unknown Could you please review this bugpost again?
Bad Actors Servers can hypothetically get Players banned.
If the Player would notice at all that their messages have been tampered with, they would, if they appealed against said ban, have no chance to prove the Server was the actual culprit.
That can't be "WaI"?
Let me restate:
> there is a period of time after receiving a preview before which the preview will not be signed. This gives players time to react to a potentially malicious preview received from the server.
That means if you write a message and quickly send it, you will still sign exactly what you have written, no matter what was in preview. Which means that any tampering of that type will be visible in chat report.
We understand that if you type really fast it will show that there was tampering, the problem is that this solution isn't good enough.
Imagine the average computer user, pecking at their keyboard one key at a time, not looking at the screen because they don't know how to touch type. All it takes is for them to wait the slightest bit too long to hit enter for their message to be manipulated and signed. I'd even argue this directly harms children who are the major target for this report system to protect. Kids are easily manipulated onto another server and are less likely to be capable typists than adults that have spent their entire life at a computer which means they specifically are more vulnerable than other people.
This also doesn't address if someone was to type out a long message and have the message hijacked in a similar way to what is demonstrated in the "bee" video. Humans are really bad when it comes to misdirection (so bad in fact that there is an entire industry around it called "Magic").
Why should a message be signed if it has been manipulated at all? Even by an innocent server using the feature as intended? Signatures are supposed to be verification that the person did in fact send what they sent but in this case there is a non-zero chance that what they sent and what was typed are entirely different.
My solution would be to force the client to sign that the message has been in fact modified (perhaps even including the original text) or to simply not sign messages that have been modified by someone that isn't the one typing it since that undermines the entire point of a signature system in the first place.
I will also add that no amount of time is enough to delay the signing. Someone could easily type out a message, get called to do something then return and hit enter right away without thinking about it.
This period (at least, on pre-2) was of 200 milliseconds, it's really easy to get tricked to sign something else.
Personally I believe only words written by you should be signed, and what you can do is let the server have an "alternative visualization" (formatted message) for the message which is what displays in chat, however, when opening the report screen you always see the original messages to report, and those are always the players' words that they have typed in.
This removes the need of the client signing arbitrary components sent by the server, as well as the whole need for chat preview feature, the main drawback is you can no longer show in chat if messages were tampered by the server or not (because any of them could be tampered, but probably aren't, and if they are, you would still be able to just see the actual message when trying to report, on the report screen). But i don't really see this as an issue because even with chat preview feature, servers which rely on editing chat messages can not actually rely on clients' text as the client (due to that delay, or disabling chat preview) could be sending the raw unmodified text, and the server will still want to apply the formatting, meaning it will just become invalid anyways.
I have to agree that the signing delay is not acceptable.
As I've mentioned before in a comment on MC-253521, a lot of people never read anything important. What can you expect in an era where nobody likes to read anything anymore? Especially in video games, people just want to get into the action. It's the reason why modern games teach you how to play the game through in-game tutorials instead of giving you an instruction manual that you have to read through before playing. It's the reason why when a player is looking for a new server to join, they look for screenshots and not large amounts of text. Is this tutorial going to be a hard one where you've only completed the tutorial after your first ban? Maybe the warning should be a diagram instead.
Maybe this is better than the purely text warning. More people will actually get it at least. It still doesn't cover people who speak other languages though, especially since a lot of Minecraft is machine translated into other languages if I'm not mistaken.
[media]I understand a lot of large companies rely on users not actually reading the Terms of Use in order to screw them over, for example, when you forced people to migrate to Microsoft accounts, for a lot of people it didn't even cross their minds that they would be required to be bound by Xbox and Microsoft's Terms of Use just to play a game they've been playing for over a decade. But at what point is it too much? Telling people they are responsible not for what they typed, but are in fact responsible for what appears in the preview, crosses that line.
How are you going to handle people who type slowly? Their eyes might be focused on the keyboard the entire time (I've seen this many times in other people) while they type a lot slower than I do, and if it takes more than 200 ms from the time they hit the last character to the time they hit enter, it will sign the preview instead of what they typed?
Not to mention the fact that if someone has a typing speed that results in the time they take to hit the enter key to always be right around 200 ms, the system might start to feel a little broken with its inconsistent behaviour, with half of their messages showing up as "trusted" and the other half of their messages showing up as "tampered."
The whole point of signing in cryptography is to make it easy to prove something came from you. When you sign a Minecraft jar, you don't send the jar off to some preview agency, and sign what they give back to you, right? Or is that something you do? What if the preview agency injected malicious code into the jar? Would you still sign it and then distribute it to your users?
Don't sign the preview at all, only sign the originally typed message.
Surely it would be better to compromise on chat features than to compromise in player account security with potential falsifiable messages? This is not a non-issue, it's exploitable despite the 200 ms delay. Why should a player be penalized for not noticing the server changed their message? This means real consequences for the player whose message was tampered with, and no way for recourse.
(The following are my personal thoughts; I am not a Mojang employee)
It appears chat preview only exists so that receiving players, who have the setting enabled to only show signed messages, see the decorated message. But even then they might not see the decorated message because (a) the sender has disabled preview or (b) the sender wrote the chat message before the preview was signed (there is some short delay). So on busy servers I imagine the receiver would see a mishmash of decorated and non-decorated messages (possibly even from the same sender). And, as shown by this report, this all at the cost of risking that malicious servers can modify the message of the sender.
It wouldn't surprise me if soon a mod for this is published which shows the preview to the client, but never signs it. This would also show that from a technical standpoint nothing prevents this.
To me it looks like the solution would be either to not sign the preview, or to sign a combination of original message and preview. Then even if the message is reported, the Mojang employees would see that the decorated message differs from the original message.
Also, in the examples you show, the server is broadcasting the message to all players. However, the server could also just silently consume the message and then itself report the message, or only broadcast it to all other players but not the sender themself. To the sender it would then just look like the message got lost, and they would not even have a clue what is happening.