Friends+ instances are still not secure due to world listing API endpoint
closed
GotoFinal
People can still join to Friends+ instances by sending request to endpoint like:
(and you can easily use worlds endpoint to search for active and popular worlds, or just find it by name)
Then you can see list of instances including friends+ ones, so even without modifying a game you can just select random one and join to it using steam run options or just command line.
Also instanceid exposes owner user ID, so that can be used to find instance of selected user - like streamer one and troll him.
Also it can be used just to check where someone is even fi you don't have given person in friends list.
This should be quickly fixed...
Log In
Tupper - VRChat Head of Community
closed
Closing due to age, please make a new post if it is still relevant.
B
Beanow
It seems like this was fixed, seem that way for anyone else?
owlboy
Beanow: Yeah, the website does not seem to be leaking Friends/Friends+ Instance info anymore.
Tupper - VRChat Head of Community
As it stands, Friends+ (and Friends) instances should be considered essentially Public when it comes to security. If you need a truly private instance, we suggest using Invite/Invite+ instances.
owlboy
Tupper - VRChat Head of Community: Does considering it essentially public extend to unwanted people infiltrating the instance? What does this mean about moderation reports of such activity? Will the reports be acted upon?
PhaxeNor
I emailed them about this earlier and got this reply https://i.imgur.com/HYAO5op.jpg
So it will be fixed eventually, but no ETA
GotoFinal
PhaxeNor: so they are like always waiting until something "bad" will happen before they will do anything...
PhaxeNor
GotoFinal: Just share this with streamers and I am sure they will patch it fast.
B
Beanow
PhaxeNor: My guess is this is taking longer because it has a perfomance impact on the APIs. Particularly for friends+ it needs to only filter instances where you're not friends with anyone. Meaning they need to take your friendslist and the users in the instance into account.
But yes this is easy to "exploit". Finding friends+ instances and checking who's in them and joining the world. Child's play.
GotoFinal
Beanow: Then it would be better to not list them at all, it should only show public instances. If you want join a friend you would use friends manu anyway.
B
Beanow
GotoFinal: I get the need to rant, but you're preaching to the choir :]