Note: This report pertains to an exploit present within the unmodified game client which allows server hosts to ‘softlock’ the client on a screen containing content sent by the server owner. This poses serious safeguarding issues for young and vulnerable users.
If a server is modified to repeatedly send the code_of_conduct packet it replaces the screen displayed on the client with the updated code of conduct, including if the displayed screen is also the code of conduct screen. Doing this prevents the disconnect button from working properly on the client and the server can use this to force the player to fully close and reopen their game in order to leave the screen.
As shown in the video attached, it is possible to display low resolution single colour images and videos withiin this menu by using braille characters.
POC used for video: https://github.com/barnabwhy/code-of-conduct-anim
This can be used by a bad actor to display potentially explicit imagery within a player’s game client. It could also be used to alternate sending strings filled with large amounts of white characters and empty string to cause a strobing effect, potentially causing seizures in players who suffer from epilepsy.
Steps to Reproduce:
Run a server which is modified to repeatedly send
code_of_conductpackets.Connect to that server with an unmodified client.
Attempt to exit the code of conduct menu using any of the in-game buttons.
Observed Results:
Pressing disconnect has no effect and the code of conduct being sent takes priority, forcing the player to close their game in order to exit the menu.
Expected Results:
Pressing disconnect will return you to the server list and the code of conduct is no longer displayed.
Note for those reviewing this bug report: This is the same as MC-301320, which was erroneously closed due to the requirement for the server carrying out the exploit to be modified. This doesn't matter as the bug lies within the client’s handling of the code of conduct screen and, as with the vast majority of exploits, even though the client is not as risk from an unmodified server it should be assumed that an exploiter is willing to modify their game in order to affect others.
Please do not close this as a duplicated report as there is more detail provided within this report than the previous.
This isn’t fixed. See my comment on MC-301333 (private issue since it is effectively a vulnerability)