We recently banned a player and he somehow managed to access the realm despite being removed from the access list and blocked. Extensive griefing resulted.
Made this private because it's a security issue.
Comments 8
Please provide the gamertag (minecraft playername) of the realm owner so someone can investigate if this is a unique issue instead of a bug.
We cannot reproduce in our testing - as soon as a player is removed, that player no longer see the realm in their list.
Please provide the name of the player who should have been removed from your realm. Is it posssible you've removed the wrong account?
I'll ask the developers to have a look at the realm owned by unerds, but I can't guarantee anything.
I recommend taking a screenshot of all invited players (so you can reinvite them all later) then removing all for the time being and see if others can still access the realm. If others (I'd suggest contacting ones you trust) can still access it, we've definitely got a bug of some sort.
Can you provide more details about the realm? How many players have been invited, how many removed, over what period of time? Any irregularities seen in the world or realm administration?
The banned player ign is Aknoof007. We know he is using a pirate copy of mcpe because he bragged about it (can supply evidence if required). He originally complained about losing access so no it was definitely the right account that was removed. However the following day he was back.
How are you doing realm access control? Are realms just hidden or is there some sort of authentication system? If the former it's possible that he's managed to record the address and has a mod that allows him to directly access the realm. If the latter, well that's more disturbing.
Can you please add (jira username: unerds) to this thread so he can participate?
Thanks
Thanks, I've forward to the realms team. I myself don't have access to give you the answers you're looking for. Anyone can participate in this thread, but I can't add another user here, or make them watch the ticket. I'd recommend emailing unerds and sending him a link to this ticket. If unerds clicks "watch this issue" he/she will get email updates whenever the ticket is updated.
Oops, forgot this is a private ticket. I'll make it public since the ticket doesn't directly describe how to achieve this exploit, just that one seems to exists.
Thanks, we'll escalate.