06.06.2026 –, ZKM Medientheater Sprache: English
Minecraft servers have always been decentralised, but in 2022 Mojang attempted to roll out a chat reporting system. Without the ability to trust either the client or the server, this turned out to be very difficult to get right. Over the next 6 months, we were in a cycle of Mojang releasing an update, and me dropping a zero day. In all we dropped 7 exploits, and there were a couple more found by others.
This talk covers the context behind the system, how the exploits worked, how Mojang tried to patch them, the community response, and why the system is still broken today.
The talk covers the chat reporting system added in Minecraft 1.19.1, and the numerous exploits that I found in it as part of nodus.gg. I'll start with explaining how Minecraft servers are self hosted, and the client is untrusted. Then go into the historical context of the chat reporting system, and why I believe this is the wrong approach over giving server admins better moderation tools. Then I'll get into exploits:
- Gaslight, a bug that allowed you to change the context of messages you were reporting. There were 4 iterations of this after Mojang's patches, the latest one still aorks
- Gatekeep, an exploit that abused key expiry to disconnect the entire server.
- Girlboss, an exploit that could spy on private message metadata.
- Guardian, a way of preventing any context being included if you got reported. This still works.
I'll briefly cover Mojangs public response to these exploits too, and some of their claims that don't quite make sense.
To end, I'll explain the response and the fallout. Starting with the community response, and talking about other mods that were developed e.g. to disable chat reporting for a server. Then talk about the current state of the system, from the community point of view e.g. how many servers even implement the system. And from the security point of view, as both Gaslight and Guardian are still functioning, and why we don't think they can actually be patched.
