Plugin Name
Crackshot
Server Name
Freedom-01
Reason for disabling the plugin
In recent days, players have discovered that they can fill another players chat using a booby-trap notification feature of the plugin. As time has passed the exploit has become more efficient as players have had time to use it. We're talking thousands of messages being sent to one persons chat per second, and a player mentioned he had found a way to hide his username from the chat notification. The feature was being used more frequently and to a higher degree so I decided to disable the plugin this evening.
Justification for believing this plugin is the root cause
It is a feature of the plugin.
Date & Time of the plugin being disabled
24/08/21 22:50 UTC
Disabling of Crackshot
Please Note: The TotalFreedom Forum has now been put into a read-only mode. Total Freedom has now closed down and will not be returning in any way, shape or form. It has been a pleasure to lead this community and I wish you all the best for your futures.
-
Yeah... I was able to both activate the item anonymously, and use it to target players who haven't even used the item through editing nbt. We should probably remove that feature since I don't think anyone uses it anyways.
-
Quote
↩ FromTimeToTime i've seen and tested this exploit today. it can send an upper limit of a few dozen messages per second, and that's if you're trying to spam yourself.
few dozen a second lmao... multiple people have tested it, and it can easily go above 1000/s, spammable on anyone
-
I've re-enabled the plugin for three reasons:
- The claim to be able to hide your own username is unconfirmed and should be taken with a grain of salt
- Administrators can effectively stop someone from spamming by using /rd ITEM_FRAME and can also track the use of item frames with CoreProtect
- This is not an exploit, but still a violation of the Conduct Policy as a Section 3 offense as it's considered an extreme annoyance and thus can be something someone can be sanctioned for.
-
-
-
↩ ThePyroManActualAccount i've already moderated them both as they were reported. flobbier was also objecting
-
This feature can be disabled in crash shots config
-
A brief explanation for why this happens
Trinkets in Crackshot are supposed to create an explosion that destroys the item frame holding it when they are set off. However, because explosives are disabled, you can just endlessly spam players by pressing the pressure plate over and over again because the item frame is never destroyed.
Why the feature shouldn't be disabled
In the interest of providing a better user experience, I feel like we should refrain from disabling features unless:
-
The feature poses a significant threat to server or client stability
-
The feature isn't logged by CoreProtect
As the issue does not fit the criteria, I believe this feature should not be disabled. Anyone who abuse this feature to deliberately annoy other players can be sanctioned under rule 3c of the conduct policy.
-
-
↩ videogamesm12 See my recent post, I found that you can make the server lag using crackshot trinkets. If you want me to show you just msg me on discord Petya#9999
-
↩ ThePyroManActualAccount i thought this too
-
wild1145
July 16, 2022 at 11:50 PM Moved the thread from forum Imported from Flarum to forum Developers Developers Developers.
