Website

There exists a method in which anybody can launch group public instances for any group, even if they do not belong to that group. This was confirmed to be the case with the permission turned off for the "Everyone" role. This does not require any tooling, external programs, direct access to the API, or changes to the VRChat client. This includes groups that are closed and invite-only. The only exception to this is if the member is already banned from the group. What does this actually mean for you? Malicious instances could be opened in opposition to a group's values. For example, a group supporting those who have PTSD from war would not want a group public instance opened in a warzone map. Groups that only open moderated instances by policy could have public unmoderated instances opened on their behalf without approval. Groups representing staff or brand ambassadors could have public instances opened on their behalf without approval. I initially informed VRChat of this on 09/11/2024 via the App/Website Security Exploit Report form under ticket #441683. Per the form: "We do not guarantee a response other than the automated "ticket received" notification." And that's all I've gotten. Unfortunately, this means that I have no way of knowing if VRChat is still actively aware of this exploit, if they plan to take ownership, or when a fix is expected. Precautions you can take as group owners: Monitor your instance lists. Also monitor your audit logs in Settings -> Logs via the group page on the VRChat website. I have intentionally left out the method, but it is trivial and only a matter of time before others figure it out, if they haven't already. Staff can check the ticket provided for the method.

Even if I click on the joinfriend tab, it doesn't display for a long time When I run it with Devtools, I can see the following error: "error": { "message": "User usr_******************* not Found", "status_code": 404 Is this my responsibility? A support request has been submitted for this.

I changed the email address of my VRCHAT account and also changed the email address of my forum account, but the forum account shows that Associated Accounts I linked is still my old email address.

The website currently has the option to delete PC and Quest versions of a world independently from one another, I think avatars should be given this same option. I think it would also be nice to have the ability to remove specific Unity versions of worlds and avatars, if multiple exist under that blueprint ID.

It’s just impossible to use the Website on Safari for iOS. What the heck? If it helps, I’m on iOS 18.0 and I also have the VRChat Closed Beta App installed on my device. See Video proof: https://youtube.com/shorts/dsDyGoR3rgk?si=aImUO1jC6ZtRqtG_

Go to the website home page and count your online friends in the wing. Scroll down in the wing till the first time the scrollbar changes size (loading more entries) Scroll back up to the top. Observe that there are roughly double the number of friends online than when first observed. There doesn't seem to be any pattern as to which friends don't show up other than that it doesn't affect friends where their current instance is visible. It's been an issue since the "online on other platforms" update.

When submitting tickets, a ticket number is created along with a link to view follow-ups and the content of the submitted ticket. Users are supposed to log into the website to access their tickets, but they are always redirected to https://help.vrchat.com/hc/en-us without a chance to log in and view their tickets. Additionally, a copy of the ticket should be sent to the user's inbox in the email that confirms receipt of the ticket. This would make it much easier to create report tickets for repeat offenders without having to remember every detail each time. I believe fixing this system would help users who aim to improve the platform by reporting bad actors or groups, benefiting both the platform and its users.

It's a bit of a pain to have to go to an external image editor to resize images below the resolution limit. Wouldn't it be nice if the website just went ahead and did that for us?

Right now, if I can remember voting on a canny post, but I can't remember which board it was in, I have to click through them one at a time to view 'my own' in each one individually. It would be nice if there was somewhere to see them all in a single list.

Currently the only way to see the instance owner is to click "open instance", copy the user id from the address bar, and paste it at the end of a vrchat.com/home/user/ ... url. There is no reason why this should be so obtuse. Meanwhile in-game the instance owner is easily visible (even more so than the world creator).