Invalid users manipulating objects and hearing conversations without physical appearance or showing in the players list.
Sotalo
There are issues with trolls loading into a world with an avatar that VRChat's logs report like this:
Error - [AssetBundleDownloadManager] Avatar 'avtr_becb0302-64b5-47b3-ab0d-2a0dcbdef294' did not pass initial checks and won't be downloaded: AssetBundleBadPerformance
The users are in the world able to listen in on conversations and manipulate objects like the image loader, but have no physical presence in the userlist for any active moderation. VRChat should not permit any user in a world with an invalid avatar like this. At the moment since their names and avatars are getting logged, I'm seeing if there are anti-troll measures that can be taken against such users and logging/reporting more verbose information. But to prevent them from actually causing harm in the world, I'd need to work with world creators to develop our own anti-troll systems to ensure such malicious hackers do not interrupt events. In this case, they disrespected people sharing stories about their loved ones who passed away during Dia de Muertos. That was disrespectful to the highest degree and they have been banned from the group. I've already reported the user and sent all my info to VRChat's ToS team for investigation so they do not cause harm to anyone else.
This isn't just a bug, this is a signficant security risk.
Log In
akki~
This problem is much deeper than "an invalid avatar".
They bypass EAC and use modified clients to spoof or hide their presence, and they can do pretty much anything with objects in your world and unprotected udon code. Reporting them is meaningless, they just change their HWID, clean vrchat files and create a new account.
You can spend countless hours to create your own anticheat systems with insane checks at every step, but there's a limit to what you can do due to udon's limitations and VRChat's TOS. Even then, if dedicated, they will still find a way to bypass it.
Its just simply not possible to prevent cheating, especially due to nature of VRChat's networking system. Unless VRChat switches to host all of the networking on their servers, abandoning the system of instance master and object ownership, its gonna continue. I don't think they have resources for that though, so it will stay like that for a long time I assume.
Sotalo
akki~This is a horrifying prospect. VRChat has control over the entire SDK, plus there should be some recommendations and tools to help world creators.
- Deject users from interacting with any Udon behaviors if the user ID, avatar mesh, and names don't appear valid the instance, and auto-report them. There are so many player lists and areas for verification, the methods and means to spoof should be easy to identify.
- Recommend creators publicly report the usernames of items being interacted with, and report those in debug logging. If an "invalid" user interacts with an object, people in the instance can see that, and the script should report it. Or better yet, find the actual user ID, something tracable, and put that on public record.
Creators have some power, but VRChat should be able to do something. If VRChat can send me a log file of an invalid user's avatar and username and a creator can send me the exact URL links they used, there's so much more they can do to identify, report, and revoke those users.
akki~
Sotalo Because they use modified clients they can simply disable these verifications, and because every script in the instance runs locally and basically trusts the user, it can be cheated.
For example, they can spoof their username locally to yours, and get access to your admin panel. It can't be made safe unless that logic runs exclusively on external server, that's what I meant.