"Whisper Tracking" and similar chat related exploits

Any player with Member level permissions can use any selector argument when cheats are enabled. This can be easily abused by using the whisper commands to view things like a player's position, their inventory, their ender chest, the potion effects they have, the position they're facing, their pitch and yaw. This exploit can be used almost anywhere, from worlds to realms and maybe even most Minecraft Bedrock Dedicated Servers (BDS), and it has existed for many years and has been abused on many different realms in the past and is still being used actively today to ruin active survival multiplayer servers and realms.

 

Whisper Tracking can be done by typing "/w @s" then you must specify either a specific player with their username or all players with @a. The @s is optional but is more commonly used so that you whisper to yourself and the player you are tracking cannot see your whispers, to keep it hidden. Then you type in coordinates to specify the origin of the tracking, or don't specify coordinates and it will track from your current position. For example, if you type "/w @s @a[x=1000,z=2000]" it will track from the coordinates X 1000 and Z 2000, to complete the command you must specify a radius to track from, like this "/w @s @a[x=0,z=0,r=5000]". This command will check for players 5000 blocks from 0,0. Specifying the origin is fully optional, you may type the command like so and track from yourself "/w @s @a[r=100]" this will check a 100 block radius from the block you are standing on for other players. If there are players in the range, the whisper will be sent back to you with that player's username,"VersedRhyme41 whispered to you: VersedRhyme41, deskstew" if there are no players it will just say "VersedRhyme41 has whispered to you: VersedRhyme41" I am using my username as an example for this.

 

This command can also be used to check if a player has an item in their inventory or ender chest, to check a player's inventory for an item you will type the whisper command like normal, but instead of checking for a radius you type [hasitem=

{item=tnt}], as I have shown in the YouTube video I will link to this at 17:40. To do this, you type "/w @s @a[hasitem={item=tnt}

]" this will send back the player's name if they have TNT in their inventory, as it does when you check for players within a radius. Obviously you can replace "tnt" with any item name to check if a player has that item, like "netherite_sword" for example. The command to check ender chests is similar although I do not have it, the same goes for potion effects, camera rotation, pitch, and yaw, and everything else I have previously mentioned above. I would also like to note that these exploits can be done on any device with a way to type a command into chat.

 

Not that much can be done about it, there are also communities out there who are programming scripts to automate these exploits and make them easier for people to use, I unfortunately cannot show these scripts as I don't have any in my possession but I have proof of somebody using a script for a new tracking exploit that involves having the ability to view the coordinates of any previously loaded bed position and the player(s) connected to those beds. Like the other exploits, this does not require operator permissions or commands.

Here is proof of one of these scripts in action, I unfortunately also do not know how the bed position exploit is done but I can say it is somehow calculated on the client side of the game, and I would be very happy if somebody could look into it.

Here is the private video proof of the "Whisper Tracking" method, thank you for reading this report I hope you guys can do something about any of these exploits.

https://www.youtube.com/watch?v=FE7k1gYz7PU