Hackers Bypassing Whitelists on Bedrock Dedicated Servers

Dear Mojang Bug Tracker Staff,

 

I know that you do not usually deal with private server reports, but I believe that this might be an exploit within the Bedrock Dedicated Server software. A few weeks ago, I had an incident where a hacker joined my whitelisted server and proceeded to do the following:

 

Create a ticking area at spawn 

Filled all player's inventories with education edition borders that cannot be removed on death or removed from inventories

Constantly played the totem animation on the screen every tick, causing anyone who joined to lag out

A weird entity that could not be /kill ed was also summoned in. It did not have an entity shadow, but we were not able to place blocks on its location.

 

I was able to fix these issues by disabling command blocks on my server and clearing my member's inventories. However, I was unable to find any command blocks that were loaded if this was the mechanism that caused these issues. Now this is not the main issue: the bypassing of the whitelist is.

 

My server is hosted on Shockbyte. I will put more information about it down below

 

I talked with many of my discord friends and fellow server owners. Two of them also were raided in a similar manner. Both were also whitelisted. Now, I have brought this issue up with Shockbyte's support team but they were unable to find any issues. I do not believe that this is an issue with the server host as one of my friends who uses a different server host was also raided in a similar manner. There were no unusual reports in my console. This will be linked below. 

 

Any help diagnosing this issue, whether it is something I failed to do, or whether it is something with the server software, would be appreciated

 

I could not find my console log of the event, however I saw nothing unusual in there.

I hope this information is useful. If not, let me know what I should provide