Website

There exists a method in which anybody can launch group public instances for any group, even if they do not belong to that group. This was confirmed to be the case with the permission turned off for the "Everyone" role. This does not require any tooling, external programs, direct access to the API, or changes to the VRChat client. This includes groups that are closed and invite-only. The only exception to this is if the member is already banned from the group. What does this actually mean for you? Malicious instances could be opened in opposition to a group's values. For example, a group supporting those who have PTSD from war would not want a group public instance opened in a warzone map. Groups that only open moderated instances by policy could have public unmoderated instances opened on their behalf without approval. Groups representing staff or brand ambassadors could have public instances opened on their behalf without approval. I initially informed VRChat of this on 09/11/2024 via the App/Website Security Exploit Report form under ticket #441683. Per the form: "We do not guarantee a response other than the automated "ticket received" notification." And that's all I've gotten. Unfortunately, this means that I have no way of knowing if VRChat is still actively aware of this exploit, if they plan to take ownership, or when a fix is expected. Precautions you can take as group owners: Monitor your instance lists. Also monitor your audit logs in Settings -> Logs via the group page on the VRChat website. I have intentionally left out the method, but it is trivial and only a matter of time before others figure it out, if they haven't already. Staff can check the ticket provided for the method.

i can't see my avatar pages from website,it is loading forever ,i ask my friend to check it then he see the same thing too

It looks like the Stickers section in the inventory, and probably other places, don't detect that we have an active VRC+ subscription.

A recent change on the API seems to cause issues properly saving or showing moderations (block, mute, hide avatar). The HTTP request for blocking/muting through the buttons on the website trigger a properly formatted request {"moderated":" REDACTED ","type":"mute"} and {"moderated":" REDACTED ","type":"block"} and the response seems to indicate that the moderation event was successfully saved earlier already since the timestamp matches up with when I blocked the user but reloading the website shows that the user is not blocked or muted and the user also doesn't show up under the blocks & mutes tab. Edit: In addition to this problem, trying to unblock an user after blocking them through the website doesn't work (button stays red to indicate the user is blocked (until I reload the page)) and the HTTP request/response is Request URL: https://vrchat.com/api/1/auth/user/unplayermoderate?apiKey=JlE5Jldo5Jibnk5O5hTx6XVqsJu4WJ26&userId= REDACTED {"moderated":" REDACTED ","type":"block"} {"error":{"message":"\"User REDACTED not found.\"","status_code":404}} Edit: Something seems to have caused the list of moderation events to update for me at least once a few hours ago with all the blocks/mutes/hides I did, however this is still an issue. A friend of mine blocked me to debug this issue and they are no longer able to properly unblock me. When they unblock me, they will show up for a few minutes but then disappear again a few minutes later or when switching/rejoining instances.

I have VRC+, and the website states that I need to subscribe to modify my inventory.

~30 minutes ago you posted this Help Desk article: Trust & Safety Reporting Changes There's a broken link in that article, a trailing "." in the URL. > Users may continue utilizing the Help Desk form for appeals and reports that include attached evidence, such as screenshots or video recordings. For guidance on best practices when reporting a user through the ticketing system, please review this article . https://help.vrchat.com/hc/en-us/articles/360062658553-I-want-to-report-someone. The correct URL (without the trailing period) is: https://help.vrchat.com/hc/en-us/articles/360062658553-I-want-to-report-someone [I want to report someone ; Reporting changes ]

The website seems to refuse deletion of account without a proper explaination

When the word “creator” on this site is automatically translated into Japanese by the site’s built-in translation feature, it becomes garbled and appears as something like “?$#@$”. Please see the attached image for details.

I like that VRChat is providing a Crisis Resource page, but telling someone to go to https://help.vrchat.com/hc/en-us/articles/42024584226579-VRChat-Crisis-Resource#h_01K194WY778D0C5DCMKFPHWSNF is a mouthful. Can vrchat make a subdomain and call it Crisis.VRChat.com and have it redirect to the help page? I ask because it is that time of year where people are seasonally depressed, and having a quick resource in VRC to give would be really handy. I have had to tell at least 5 people this week to call 988, but not everyone lives in the US. The help page is great because is lists different countries where people can get help.