Missing permissions check on group public instance creation
tracked
Slone Fallion
There exists a method in which anybody can launch group public instances for any group, even if they do not belong to that group. This was confirmed to be the case with the permission turned off for the "Everyone" role. This does not require any tooling, external programs, direct access to the API, or changes to the VRChat client. This includes groups that are closed and invite-only. The only exception to this is if the member is already banned from the group.
What does this actually mean for you?
- Malicious instances could be opened in opposition to a group's values. For example, a group supporting those who have PTSD from war would not want a group public instance opened in a warzone map.
- Groups that only open moderated instances by policy could have public unmoderated instances opened on their behalf without approval.
- Groups representing staff or brand ambassadors could have public instances opened on their behalf without approval.
I initially informed VRChat of this on 09/11/2024 via the App/Website Security Exploit Report form under ticket #441683. Per the form: "We do not guarantee a response other than the automated "ticket received" notification." And that's all I've gotten. Unfortunately, this means that I have no way of knowing if VRChat is still actively aware of this exploit, if they plan to take ownership, or when a fix is expected.
Precautions you can take as group owners:
Monitor your instance lists. Also monitor your audit logs in Settings -> Logs via the group page on the VRChat website.
I have intentionally left out the method, but it is trivial and only a matter of time before others figure it out, if they haven't already. Staff can check the ticket provided for the method.
Log In
StormRel
Merged in a post:
Instance Creation Abuse
ImmortalWhisper
Using a script and you can use the api via the selfinvite api and it enables you to be able to invite/create instances under any user or group even if you aren't in said group.
WubTheCaptain
> enables you to be able to invite/create instances under any user
Since the introduction of Secure Instances in VRChat 2022.2.2, you still need to be a friend of said user to create Friends+ instances under another user's name. This is intended.
However, that update spoke nothing of Secure Instances for groups, because groups were released in VRChat 2022.4.2 months later.
WubTheCaptain
That said, ever since instance naming become a thing in VRChat 2025.3.3 and instance reporting also became a thing (mainly for instance names), this has opened a new vector of abuse (which may make those friends or groups liable involuntarily for inappropriate instance titles and worlds).
WubTheCaptain
Unlocked links for invites are a feature, but I'm not sure it's intended that anyone can create group+ instances for groups:
- While not being a member of the group, inviting self to create a group+ instance fails with an error message ("Aw jeez gosh dang! 🤔", "If the instance exists‚ you're not allowed to access it․"), but creates an entry in the group's logs;
- While being a member of the group, but without permissions to create instances, creating a group+ instance via the invite API works (in a group owned by my friend), bypassing the need for membership permissions to create the instances directly.
TESTGR.6291 grp_3803f1fc-7a74-4c0c-bf73-3e92bae253da
WubTheCaptain
This also works for group public instances, without being a member in that group (with create instances permissions removed from members & everyone). All one needs is a group ID and a world ID; group public links are unlocked. For clarification, a shortname isn't required, because an unlocked invite link can be manually constructed (without a nonce or a shortlink).
WubTheCaptain
You also don't need to be a friend of the group owner to create group public instances of arbitrary groups, such as VRChat Team (VRCHAT.0000).
(I dropped this portal to a world that's set private and low traffic.)
StormRel
marked this post as
tracked
MondoCat
Yay!
n a k u
This can lead to a lot of issues with official company groups. As of right now, absolutely any account can create an instance under Rebuff Reality, VKet, or Raindance Immersive as examples, and can do whatever they want inside of these instances which can lead to a negative impact on a group's validity and possibly dissuade advertising friendly environments. Bumping and spreading for visibility!!