Missing permissions check on group public instance creation
tracked
Slone Fallion
There exists a method in which anybody can launch group public instances for any group, even if they do not belong to that group. This was confirmed to be the case with the permission turned off for the "Everyone" role. This does not require any tooling, external programs, direct access to the API, or changes to the VRChat client. This includes groups that are closed and invite-only. The only exception to this is if the member is already banned from the group.
What does this actually mean for you?
- Malicious instances could be opened in opposition to a group's values. For example, a group supporting those who have PTSD from war would not want a group public instance opened in a warzone map.
- Groups that only open moderated instances by policy could have public unmoderated instances opened on their behalf without approval.
- Groups representing staff or brand ambassadors could have public instances opened on their behalf without approval.
I initially informed VRChat of this on 09/11/2024 via the App/Website Security Exploit Report form under ticket #441683. Per the form: "We do not guarantee a response other than the automated "ticket received" notification." And that's all I've gotten. Unfortunately, this means that I have no way of knowing if VRChat is still actively aware of this exploit, if they plan to take ownership, or when a fix is expected.
Precautions you can take as group owners:
Monitor your instance lists. Also monitor your audit logs in Settings -> Logs via the group page on the VRChat website.
I have intentionally left out the method, but it is trivial and only a matter of time before others figure it out, if they haven't already. Staff can check the ticket provided for the method.
Log In
StormRel
tracked
MondoCat
Yay!
n a k u
This can lead to a lot of issues with official company groups. As of right now, absolutely any account can create an instance under Rebuff Reality, VKet, or Raindance Immersive as examples, and can do whatever they want inside of these instances which can lead to a negative impact on a group's validity and possibly dissuade advertising friendly environments. Bumping and spreading for visibility!!