The talk covers the chat reporting system added in Minecraft 1.19.1, and the numerous exploits that we found in it. We'll start with explaining how Minecraft servers are self hosted, and the client is untrusted. Then go into the historical context of the chat reporting system, and why we believe this is the wrong approach over giving server admins better moderation tools. Then we'll get into exploits: - Gaslight, a bug that allowed you to change the context of messages you were reporting. There were 4 iterations of this after Mojang's patches, the latest one still works - Gatekeep, an exploit that abused key expiry to disconnect the entire server. - Girlboss, an exploit that could spy on private message metadata. - Guardian, a way of preventing any context being included if you got reported. This still works. We'll briefly cover Mojangs public response to these exploits too, and some of their claims that don't quite make sense. To end, we'll explain the response and the fallout. Starting with the community response, and talking about other mods that were developed e.g. to disable chat reporting for a server. Then talk about the current state of the system, from the community point of view e.g. how many servers even implement the system. And from the security point of view, as both Gaslight and Guardian are still functioning, and why we don't think they can actually be patched.