BDS-16774Split screen allows non-whitelisted players to join
I've marked this as private because I'm not sure how publically known this is, and is a serious security flaw in BDS.
When connected to a server which is locked down with a whitelist, as long as the first account joining the server is whitelisted, anyone else on the console can join via split screen.
Steps to reproduce:
- Create a local BDS instance on your home network. Enable whitelist
- Whitelist 1 account
- Login to whitelisted account on xbox/playstation
- connect to server
- activate split screen mode using a non-whitelisted account
Expected result:
Console should show error that non-whitelisted account cannot join the server.
Actual result:
Non-whitelisted account can play on the server. There is no console log of the second account joining the server, but it does show the second account leaving.
Environment
Xbox, Playstation
Linked Issues
Attachments1
Comments7
History20
Resolution: Unresolved → Awaiting Response
Resolution: Awaiting Response → Unresolved
Resolution: Unresolved → Awaiting Response
Resolution: Awaiting Response → Unresolved
Added affects versions: 1.19.31 Hotfix
Confirmation Status: Unconfirmed → Plausible
Added relates to link: REALMS-10097Banned players can join with split screen in realmsIncomplete
Added affects versions: 1.19.41
Added affects versions: 1.19.50
Added affects versions: 1.19.73
Resolution: Unresolved → Awaiting Response
Added affects versions: 1.19.83 Hotfix 1.19.81 Hotfix 1.19.80
Resolution: Awaiting Response → Unresolved
Added affects versions: 1.20.0
Added relates to link: MCPE-174284Split-screen allows players to impersonate others on Realms and serversPlausible
Resolution: Unresolved → Awaiting Response
Hi
Does this issue still occur after updating to 1.19.10?
This ticket will automatically reopen when you reply.
Can confirm this is still happening in 1.19.20 as per this screenshot of my console. Brand new server, only whitelisted myself. You can see me connecting and then I split screen the second account in which you can see disconnect but not join
Hi
It can be reproduced every time? Does it occur on 1.19.22?
This ticket will automatically reopen when you reply.
Can confirm it is still present in 1.19.22 exact same steps. I even attempted to join via console on the account that wasn't on the allowlist, got "You are not invited to play on this server" as expected, but then joined with the account that is on the allowlist, and the not allowed account could then split screen. This is a console specific bug where xbox or playstation players can bypass an allowlist to join servers.
I do realise joining 3rd party non-networked servers via console isn't officially supported, but everyone knows there are ways to do so and this just forms a massive security risk for griefers and trolls
Updated to include latest release. Still happens, however console logging can now show these players joining with the "X spawned" line that's now appearing.
Hi
Can you upload screenshot of console log with new information?
This issue will automatically reopen when you reply.
Is this still an issue in the latest release?