Mojira Archive
MC-254485

The suggest_command action can be used to trick players into sending incriminating messages

The bug

Malicious servers can use mandatory resource packs together with /tellraw commands that use the suggest_command action to trick players into sending messages that contain objectionable content. Below I provide a resource pack and a data pack that demonstrate this issue. The resource pack uses negative font spacing to hide the objectionable content inside of the suggested command from the data pack. To the player, the message looks normal.

To reproduce

  1. Place the resource pack in your resource packs folder and enable it: Hide Parenthetical Text.zip
  2. Place the data pack in your datapacks folder: Malicious Suggested Command.zip
  3. /function mal_sug_cmd:display_tellraw
  4. Click the green text in chat.
  5. Type and send your message. Observe that everything looks normal.
  6. Check the log. The message you actually sent contains harmful content you didn't see when you sent it.

Video

Hidden Malicious Text.mp4

Fixed

[Helper] pine1needle

[Mojang] Felix Jones

2022-07-23, 01:58 AM

2022-07-25, 02:49 PM

2022-07-25, 02:49 PM

2

1

Confirmed

Important

Social Interactions

1.19.1 Release Candidate 2

1.19.1 Release Candidate 3