MCPE-161651Exploitable target selector in /w /msg /tell commands
Exploit Information
When a player without operator permissions uses the following commands:
- /msg
- /tell
- /w
They can utilize the command's @ target selector to expose information about an other player and about the world (which tags, scoreboards it has and IDs of custom items you may have added trough Addons).
Problems with it
- With the following world information about the tags and scoreboards, they can use external clients to place in an NPC or command block minecart in to the world with a command that can give them the following tag or give others a certain tag that that world uses to ban players or to grant them staff permission in the world. Or maybe set the currency system the world owner has set in that world using scoreboards out of order.
/tag <PlayerName> add Staff
/scoreboard players add <PlayerName> money 99999999
- They can as well use target selectors like:
r, rm, x, y, z, dx, dy, dz
To obtain the location of other players in the world.
Note: There is a similar bug report at MC-130664 but that one is for Minecraft Java Edition and this is a Minecraft Bedrock Edition bug
2022-08-28, 01:34 PM
2023-07-11, 12:33 PM
2023-07-11, 12:33 PM
0
1
-