Mojang chat report (technical)

Mondbrille

New member
This thread is for technical discussion only, for your personal opinion about this topic please use the thread "Mojang chat report".

The purpose of this thread is to share knowledge, prevent abusing the system and maybe improving it.


My knowledge at this point about the system is: Every player message received by the server (ServerboundChatPacket) contains a timeStamp and a saltSignature. These fields are passed to all receiving players via the ClientboundPlayerChatPacket. That means the client is creating the saltSignature.

Explanation of acryonyms:
• Sender: The client, who sent the message
• Reporter: The client, who reported the message from sender
• Game server: The game server both clients are online
• Auth server: The authentification server of mojang, used for identification (and probably reporting)

I have a few questions in terms of verification of the report:

1. What exactly is the saltSignature? It is a hash, the encrypted message, an id or whatelse?

2. Is the saltSignature or raw message of sent messages simultaneously sent to the Mojang auth server?

3. If 2 is true, who sends this information to the auth server? The sender, the game server or both?

4. If 2 is false, how is ensured that the reporter don't report self created fake signatures of the sender?

5. What happens if the server or client manipulate the saltSignature?
 
Last edited:

Noah

Paper Developer
Staff member
Jan 4, 2022
44
6
16
8
The Netherlands
1. It is a signed version of the message's text (or the component if the server sent a preview), signed with a private key only known by the player and Mojang.
2. No, only when reported.
4. Because the public key of the signed messages wouldn't match with the public key belonging to the reported user.
5. The message will show as insecure, with a red line (always visible) and hoverable icon (only when the chat window is opened), see the image below:
1656681429566.png

For reference, here's a flowchart of the chat process, created by Cubxity:
1656681373252.png
 
  • Like
Reactions: Mondbrille

Andre_601

New member
Feb 8, 2022
20
5
3
1. It is a signed version of the message's text (or the component if the server sent a preview), signed with a private key only known by the player and Mojang.
2. No, only when reported.
4. Because the public key of the signed messages wouldn't match with the public key belonging to the reported user.
5. The message will show as insecure, with a red line (always visible) and hoverable icon (only when the chat window is opened), see the image below:
View attachment 239

For reference, here's a flowchart of the chat process, created by Cubxity:
I thought the salt was a randomly generated value.
Has this been changed in 1.19.1/.2?