Mojang Twitter support advised this is a bug and to post here. I run a bedrock realm where we've been experiencing mass chunk edits, suddenly erased inventory, and a mysterious player who was not invited on an invite only realm. The only thing I know about the mysterious player is that they appear as "cookie", but the players who witnessed them the one time did not capture the full gamertag. Since then, we've experienced cleared inventories and chunk edits but no additional player. Can anyone offer info on what is happening and how to mitigate? Bedrock notoriously has zero logs or control over this sort of thing... thanks in advance!
Comments 6
Understood, I don’t think this is a “bug” either, just following Mojang twitter support recommendation. Determined which user was using the hacked client and banned from realm. Issue can be closed if deemed incorrectly submitted.
Thanks for advising you've fixed it.
I did some research because I have a Realms subscription too and wanted to understand how this stuff works, so let me share some of what I found out.
Each Realms subscription has a unique invite code. Although it consists of random letters and digits, an invite code is not a password. You should control it to keep random people you don't know from joining your Realm (unless that's what you want), but it's not meant to be top secret, and in fact it's visible in most of the invitation methods.
You can view your invite code from your Realms Member settings by clicking the Share Link button. This displays a URL, the last part of which is your invite code. From this same dialog window, you can click Copy to copy the URL to the clipboard, click the Share button (to the right of Copy) to send it in an email to a friend, or just copy it down or read it out to a friend on the phone. There's also a circular arrow Refresh button to the left of the URL that replaces the invite code with a newly generated one. Doing this invalidates the old code, so don't click this button while you're still expecting friends to join whom you sent the old code to (or you can just send them the new code).
The thing is, once you've sent out your invite code, you can't track who has it any more. Maybe one of your friends turns out to be a jerk who griefs your realm, or gives it to somebody you don't know without your permission. Anybody who has your invite code can join, so you can easily get griefers this way. How do you protect yourself from that? The answer is in three parts:
After your invited members have joined (or you've decided no more are going to join), generate a new invite code as described above. This will invalidate the old code, so nobody else can join using it, and nobody but you will know the new code until you invite them or decide to share it with them another way.
If you don't want anybody coming in without your approval, keep your new code to yourself (don't share it with anybody). Your members will only have the old code, which is no longer valid, so they won't be able to give anybody else a way to get in.
If you want members to be able to invite visitors, let them know the new code so they can give it to the visitor. Make sure "Player permission when joining from invite" is set to Visitor so they won't be able to break anything. When the visit is done, remove the visitor from your Members list and generate a new invite code. (If you don't generate a new code, they'll be able to re-join.)
If you have a member who's causing grief, you can kick them off the server by using the /kick command or you can Remove or Block them using the "-" button on their entry in the Members list.
Kick just punts them out temporarily as kind of a hand slap. They can join again immediately.
Remove kicks them off and cancels their membership in your realm. They move back to your Friends list, and you can Invite them again from there if you want to. Note: If you haven't changed the invite code, they can re-join without an invite.
Block works like Remove but moves them from your Members list to a Blocked list (below it). They remain your friend but your realm no longer appears on their Friends tab in the Joinable Realms list. It may appear in their Joinable Friends list, but they'll be "Unable to connect to realm." If you later want to invite them back, use the Unblock button by their name to put them back into the Friends list. From there you can send them a new invitation.
The above explanation can account for an unwanted player joining your realm, but I don't see how it can explain edited chunks or changes to a player's inventory, and that could well be why whoever you were talking to on Twitter told you it was a bug. Can you elaborate on those issues? Why do you call it an "edited chunk"? Is it markedly different from what an ordinary player can do in the game?
Happy to clarify! We’re not using a realm code or sharing it at all; instead I am manually adding players as “members” to the realm and removing them to block access.  It turns out the griefer had been granted access, but because we do not have any real way of seeing what a player is doing, we did not know “who” it was. The “mysterious” player was either that same griefer who was able to alter how their name displayed, or they were able to invite another player somehow. Â
Edited Chunks we experienced were entire portions of what appeared to be about 16x16x? Â blocks of lava replacing what was not lava seconds before. Â
Cleared Inventory means one moment we had our inventory and hotbar full of what we were working with and the next moment we had nothing, even armor was removed. Â
As I said before, not sure this is a bug, only added this here per Mojang twitter support. This is clearly just a griefer using a hack client, so again, if you’re unable to actually do anything with this you are welcome to close.
The griefer wouldn't even have to have had a hack client, they could clear inventory and fill chunks if they had full access to commands. And even if you didn't give them command access, we had a bug in the earliest 1.16 releases that made it trivially easy to run almost any command. That's probably the bug the Twitter user was thinking about.
So we have, if not THE explanation, at least a plausible one for all the phenomena you reported. I've closed this ticket as Cannot Reproduce since the bug has been fixed and this shouldn't be able to happen again the same way.
Please note that the bug tracker is only for reporting bugs. We are staffed by a fairly small group of community volunteers and we don't have the resources to offer other kinds of support. For advice and mitigations, the place to ask is Community Support (link below).
Quick Links:
📓 Issue Guidelines – 💬 Community Support – 📧 Mojang Support – ✍️ Feedback and Suggestions – 📖 Game Wiki