Website

There exists a method in which anybody can launch group public instances for any group, even if they do not belong to that group. This was confirmed to be the case with the permission turned off for the "Everyone" role. This does not require any tooling, external programs, direct access to the API, or changes to the VRChat client. This includes groups that are closed and invite-only. The only exception to this is if the member is already banned from the group. What does this actually mean for you? Malicious instances could be opened in opposition to a group's values. For example, a group supporting those who have PTSD from war would not want a group public instance opened in a warzone map. Groups that only open moderated instances by policy could have public unmoderated instances opened on their behalf without approval. Groups representing staff or brand ambassadors could have public instances opened on their behalf without approval. I initially informed VRChat of this on 09/11/2024 via the App/Website Security Exploit Report form under ticket #441683. Per the form: "We do not guarantee a response other than the automated "ticket received" notification." And that's all I've gotten. Unfortunately, this means that I have no way of knowing if VRChat is still actively aware of this exploit, if they plan to take ownership, or when a fix is expected. Precautions you can take as group owners: Monitor your instance lists. Also monitor your audit logs in Settings -> Logs via the group page on the VRChat website. I have intentionally left out the method, but it is trivial and only a matter of time before others figure it out, if they haven't already. Staff can check the ticket provided for the method.

The following help desk article URL has an incorrect/outdated statement: https://help.vrchat.com/hc/en-us/articles/360062658133-I-can-t-see-anyone-s-avatars > Very Poor avatars are always performance blocked on VRChat Mobile. At this time, users running the Mobile app cannot show (or wear) them. This help desk article was last updated more than a year ago, and hasn't been updated since. Formerly it used to be that Very Poor avatars were blocked on mobile completely back in 2024 , but this restriction has been since relaxed. The statement is contrary to actual behavior in-app today (and in the past for a while now) and documented behavior in VRChat Creator documentation, which states Very Poor mobile avatars can be forcefully shown on mobile: https://creators.vrchat.com/avatars/avatar-performance-ranking-system/#mobile-default-performance-rank-blocking > For example, if a mobile avatar exceeds 20,000 triangles, it's "Very Poor" and users can't see it in VRChat. However, users can forcefully show "Very Poor" avatars by selecting the user and clicking "Show Avatar". Very Poor mobile avatars can also be worn. Only a few (3? 5?) Very Poor avatars will be shown at a time on mobile platforms currently. Suggested change: Update the help desk article to remove mentions of wearing Very Poor on mobile, update the article to mention the current restrictions on viewing [X] number of Very Poor avatars on mobile, and include the warning from VRChat Creator documentation about VRChat possibly removing "Very Poor" mobile avatars in the future.

i can't see my avatar pages from website,it is loading forever ,i ask my friend to check it then he see the same thing too

It looks like the Stickers section in the inventory, and probably other places, don't detect that we have an active VRC+ subscription.

A recent change on the API seems to cause issues properly saving or showing moderations (block, mute, hide avatar). The HTTP request for blocking/muting through the buttons on the website trigger a properly formatted request {"moderated":" REDACTED ","type":"mute"} and {"moderated":" REDACTED ","type":"block"} and the response seems to indicate that the moderation event was successfully saved earlier already since the timestamp matches up with when I blocked the user but reloading the website shows that the user is not blocked or muted and the user also doesn't show up under the blocks & mutes tab. Edit: In addition to this problem, trying to unblock an user after blocking them through the website doesn't work (button stays red to indicate the user is blocked (until I reload the page)) and the HTTP request/response is Request URL: https://vrchat.com/api/1/auth/user/unplayermoderate?apiKey=JlE5Jldo5Jibnk5O5hTx6XVqsJu4WJ26&userId= REDACTED {"moderated":" REDACTED ","type":"block"} {"error":{"message":"\"User REDACTED not found.\"","status_code":404}} Edit: Something seems to have caused the list of moderation events to update for me at least once a few hours ago with all the blocks/mutes/hides I did, however this is still an issue. A friend of mine blocked me to debug this issue and they are no longer able to properly unblock me. When they unblock me, they will show up for a few minutes but then disappear again a few minutes later or when switching/rejoining instances.

I have VRC+, and the website states that I need to subscribe to modify my inventory.

~30 minutes ago you posted this Help Desk article: Trust & Safety Reporting Changes There's a broken link in that article, a trailing "." in the URL. > Users may continue utilizing the Help Desk form for appeals and reports that include attached evidence, such as screenshots or video recordings. For guidance on best practices when reporting a user through the ticketing system, please review this article . https://help.vrchat.com/hc/en-us/articles/360062658553-I-want-to-report-someone. The correct URL (without the trailing period) is: https://help.vrchat.com/hc/en-us/articles/360062658553-I-want-to-report-someone [I want to report someone ; Reporting changes ]

The website seems to refuse deletion of account without a proper explaination

When the word “creator” on this site is automatically translated into Japanese by the site’s built-in translation feature, it becomes garbled and appears as something like “?$#@$”. Please see the attached image for details.

I like that VRChat is providing a Crisis Resource page, but telling someone to go to https://help.vrchat.com/hc/en-us/articles/42024584226579-VRChat-Crisis-Resource#h_01K194WY778D0C5DCMKFPHWSNF is a mouthful. Can vrchat make a subdomain and call it Crisis.VRChat.com and have it redirect to the help page? I ask because it is that time of year where people are seasonally depressed, and having a quick resource in VRC to give would be really handy. I have had to tell at least 5 people this week to call 988, but not everyone lives in the US. The help page is great because is lists different countries where people can get help.