A Deep Dive into Minecraft 1.19.1's Report System

[utterances-bot]

A Deep Dive into Minecraft 1.19.1's Report System

The Minecraft community has been awash with conversations about the new global reporting system. In this post, I try to clear up common misconceptions and provide some technical insights into how it works.

https://blog.bithole.dev/mc-report.html

[TheOnlyWayUp]

Great read. Well explained and thoroughly researched, ty :)

[ArhanChaudhary]

i agree this is a great blog adrian i like the blog adrian this is a thoroughly researched blog adrian really like reading this blog and how adrian wrote the blog

[bruno-gm]

Nice paper. Thank you for this great analysis. I fully agree with you. In my first opinion I was thinking that whatever system is delivered, only usage make it bad (what users will do with it) but the centralization of the rule « cannot connect because being reported/banned » is indeed the main issue. Server operators should have the choice to accept or not banned users at their discretion. In this case, report system is a good protection feature for all others operators preferring using this feature to protect their users.

[bluebear94]

Can the UUID of the reporting player can be falsified? If so, then a malicious user could send false reports pretending to be another player in an attempt to get them punished for abusing the report system or to hamper the moderation team without repercussions to their own account.

[adrian154]

Mojang can detect falsified UUIDs because the signature would not be valid.

[bluebear94]

As far as I can tell, only the chat messages in the report are signed, not the other fields such as id.

[bluebear94]

Ah, I’ve read over the relevant section again. Since the reports are submitted using an authentication token, that should eliminate the possibility of successfully faking the sender UUID.

[ethanent]

The client shouldn't be able to cherry pick messages (and even rearrange messages sent within the same second?) to send, and Mojang could have prevented this by having the server sign the messages array at the client's request, after ensuring it aligns with the chat as the server sees it.