Missing permissions check on group public instance creation. Part 2.
tracked
Slone Fallion
Following up on this completed Canny and developer update from last month, the issue isn't fully resolved. Group members with the "Create
Members-Only
Group Instances" permission do not see the ability to make group public instances in the VRChat client, but they can still make group public instances and invite themselves by manually crafting a public instance link in the browser.
Current mitigation until VRChat resolves the issue: Don't allow group members to open Group instances. Enabling Group+ instance creation does not allow the exploit.
The last exploit was left open for over a year. I hope this one won't see the same treatment. I'd really like to allow our group members to create their own group instances without the risk of having unauthorized public instances opened.
Thank you to our community member Joakorex for bringing this to our attention. <3
Photo Viewer
View photos in a modal
Log In
Slone Fallion
Hey! Just a reminder that my group members have been forced to make Group+ instead of Group instances for three months now, due to the serious security vulnerability addressed above. With the recent survey on using groups as a funds proxy for VRChat via boosts, it's not a great look to just leave glaring security issues like this open and then look to squeeze money out of the groups that are supporting the platform.
StormRel
updated the status to
tracked