The VRChat Security Update
UPDATE 7/26:
Since the announcement yesterday, we've gotten a LOT of feedback from all of you regarding the incoming 2022.2.2 VRChat update that integrates Easy Anti-Cheat.
We are reprioritizing, reorganizing, and changing our internal development roadmap to focus on the feedback you've given us.
Let's follow that up with the hard part: we are going to be releasing this update, and we do not have plans or intent to revert or roll it back.
However, we hear you and see you saying that many of the modified client features that are being lost due to this are extremely important to you, or in some cases allow you to use VRChat at all, when in regards to modifications that added accessibility features that VRChat currently lacks.
Addressing these concerns and feedback is our highest priority. We are changing our internal development roadmap and priorities to focus on the features and additions that you want. Currently ongoing projects are being paused, rescheduled, or re-prioritized, and resources are being re-allocated to account for this change.
In addition to the information we already had on hand, we've been talking to VRChat communities and community leaders about the changes and additions that they want most, including speaking to communities focused on accessibility to VRChat. We've also been watching and documenting constructive feedback via our typical channels like our Feedback boards, social media, and this Discord.
Our first priority for these changes is addressing several accessibility concerns in VRChat. We've got an internal list of improvements we can implement quickly and are fast-tracking it through our production and implementation process. We will be posting more information about those changes tomorrow.
Those changes will not be our last. We have more planned and are gathering more information to understand and address more of your needs. As noted before, we are immediately adjusting internal development to address these changes.
Thank you for your patience as we work as quickly as we can to address your concerns and your feedback. We'll be back as soon as possible with the first set of these updates, changes, and features.
The VRChat Team
Chances are, if you’ve paid attention to VRChat’s patch notes in the past, you’ve probably noticed a vague (yet common!) line that’s added to the end of most updates: “Safety and security fixes.”
As you probably can imagine, when you see this line, we’ve changed something to improve the security of our platform. While we want to always show the community that we’re working on improving security, the nature of security means that we have to hold our cards close.
This time, though, there are some updates we’d like to be a little more transparent about, as we want the community to know exactly what we’re doing – and why.
Let’s start with the first major change which will be going live in the next few days.
Easy Anti-Cheat
“Modified clients” are a large problem for VRChat in a variety of ways. Malicious modified clients allow users to attack and harass others, causing a huge amount of moderation issues. Even seemingly non-malicious modifications complicate the support and development of VRChat, and make it impossible for VRChat creators to work within the expected, documented bounds of VRChat.
In order to prevent that, we’ve implemented Easy Anti Cheat (EAC) into VRChat.
If you’ve played Apex Legends, Fortnite, Gears of War, Elden Ring, or many more, you’ve seen Easy Anti-Cheat (EAC).
EAC is the industry-leading anti-cheat service. It’s lightweight, effective, and privacy-focused. In short, for any game or platform looking to prevent malicious users from breaking the rules, it’s a powerful solution.
The integration of EAC means that all modified clients are blocked. The problems mentioned above will be minimized if not outright eliminated, improving the VRChat experience for users and creators.
Malicious client modifications are responsible for a massive amount of issues for both our team and our users. We’ve been listening to you cry out for a solution to being harassed, griefed, and constantly crashed, so we’re taking further steps to address one of the roots of the problem.
Our Trust & Safety and User Support teams witness first hand how much damage modified clients do to the platform.
Every month, thousands of users have their accounts stolen, often due to running a modified client that is silently logging their keystrokes as well as other information. These users – often without even realizing it! – run the risk of losing their account, or having their computers become part of a larger botnet.
These networks of modified clients perform malicious actions without informing users – such as reporting back user locations to harassers or stalkers, ripping and archiving avatars, allowing mass harassment of users via automated actions, and even acting as nodes for distributed “zombie” botnets. We’ve directly observed this happening innumerable times, and it alarms us!
Additionally, all modified clients – even ones that aren’t malicious – are a burden for creators. We regularly speak to many that have spent hours (or days) debugging user issues, only to realize that the culprit is a modified client. This frustration ultimately has a chilling effect on VRChat creators, hurting their enthusiasm and preventing them from building awesome things.
This pain extends to VRChat support too – any time we update, we get a massive amount of bug reports that end up just being broken modifications. In addition to burning developer time, this support burden also frustrates less technically-inclined users who didn’t know what they were getting into by installing these modifications.
Finally, we’re aware that many legitimate users install modifications to add features they wish VRChat had natively. We're very aware of the popularity of these modifications, and we’re aware that EAC means those modifications are gone, too. As such, we've been working towards native implementations of features like a main menu that's usable even when you're lying down, a portable mirror that you can use to calibrate your full-body tracking (or provide a face-cam), and more – all planned for upcoming releases.
Despite our best attempts to answer as many questions above as we can, we know that users will have more! As such, we’ll try to answer a few more in the FAQ section at the bottom of this blog post.
Secure Instances
In an upcoming update, we’ll be slightly changing how instances work. These changes are intended to make instances more secure and intuitive for all users.
In the past, if you created a private instance – for example, a Friends instance – then only your friends would be able to join the instance. However, if you created the instance via the VRChat website and then handed that link to someone that was not your friend, they would still be able to join the instance! Similarly, if you created a Friends instance and then dropped a portal to it in a public instance, anyone could see and go through the portal – even if they weren’t your friend.
While this was intended behavior, it has led (understandably!) to a lot of confusion, as well as abuse.
In this upcoming release, we’ll be rolling out an improvement called Secure Instances. In short, Secure Instances (or SI, as we’ve been calling it) enforces the instance rules on the server side when you enter an instance.
For example, in order for you to join a Friends instance, you must follow the rules: you must be a friend of the creator of the instance to join. Joining using a link or the instance ID no longer works if you do not meet the set rules of the instance.
As a quick refresher:
Public - Anyone can join!
Friends+ - You have to be a friend of someone in the instance to join.
Friends - You have to be friends with the instance creator to join.
Invite+ - You must request an invitation from someone in the instance to join, or the instance creator may invite you directly.
Invite - The instance creator must invite you directly.
Secure Instances makes it possible to keep private instances private – even if you drop a portal! Dropping a locked portal to a new Friends or Friends+ instance will only show up for your friends! In other worlds, you can drop a Friends+ portal in a crowded public instance, and only your friends will be able to see or use that portal!
You can also choose to drop an “unlocked” portal, meaning anyone can see it and anyone can go through it. Note that if you drop an unlocked portal, anyone that is in the instance can see where that portal goes, and may be able to access it, even after the portal closes. If you want to be very careful who can get into your new Invite or Invite+ instance, don’t use a portal. Click “Go” and invite your friends via the social menu instead.
The portal drop UI in VRChat has been updated with some new buttons to show your current locked/unlocked state. Check out this quick clip!
The “locked” portal is only available for Friends and Friends+ instances. Locking a Public portal makes no sense, and the only person allowed to enter a “locked” Invite or Invite+ portal is the instance creator (that’s you!), so allowing a portal for that didn’t make sense either.
Of course, there’s also the VRChat Home website! If you didn’t know, you can log into the VRChat Home with a VRChat account, create a new instance, and even invite yourself to it.
Previously, if you knew the “instance ID”, you could join the instance even if you hadn’t been invited. But now, with SI, you’ve got “Locked Links” (which follow the rules), in addition to “Unlocked Links”, which work how they did before.
Additional Upcoming Changes
Over the next few weeks, we’ll be announcing and rolling out a few more features that are designed to make VRChat a better, safer, and more secure place to spend your time.
While we aren’t ready to announce anything else today, you’ll hear more from us in the near future.
Easy Anti-Cheat FAQ
Is EAC always on in the background?
No. EAC will only activate when VRChat has been launched. Once you close VRChat, EAC will also close.
What happens if I use or have used “mods” in the past? Will I get banned when EAC launches?
No, you will be fine. If you have previously used mods and have totally removed them, nothing will happen.
If you are currently using mods, you will receive an error on your screen and you will be prevented from loading into VRChat. Users that attempt to load a mod while running VRChat will be disconnected and the application will shut down.
You will need to cleanly reinstall VRChat before you’ll be permitted to log in. Click here to find instructions on how to do so.
Are there any “whitelisted mods”?
No. Despite rumors to the contrary, there has never been such a thing as a “whitelisted mod.” Modification of the client – in any way – has, and will certainly continue to be, a violation of the Terms of Service.
Does this affect “Playspace Mover”, OpenVR Advanced Settings, or overlays like OVR Toolkit and XSOverlay?
No! Playspace Mover, OVRAS, OVR Toolkit, and XSOverlay are not considered modifications!
These applications are their own programs, and load in via SteamVR. They do not modify VRChat in any way. EAC will not care about these programs. You are free to use any of them!
Does this affect the OpenVR AMD FSR tool?
Yes. As the OpenVR AMD FSR tools modifies the client to behave in a different way than is originally intended, it is considered to be a mod.
I rely on a feature that I only get through modifications. What should I do?
We understand that many modifications provide users with features that they really wish they had in VRChat by default.
Many of these features are things we’d love to add into VRChat – some have even been planned for years! However, developing something like VRChat is a challenge, and involves a lot of prioritization, triage, and sometimes putting things on a backlogged list that you really wish you didn’t have to.
While we can’t promise any particular feature is going to be added into VRChat, we’d suggest actively using our Feedback board. This helps us decide what features to work on, and what things our users really want.
Does this mean that VRChat is partnered with Epic?
Nope! We just use their software.
What do I do if I have issues with EAC?
There’s very few cases in which EAC has issues! Thankfully, many different games use it, so we get the benefit of all of those games ensuring that EAC continues to work properly. The EAC team maintains this helpful page that can help with some less rare issues, like antivirus false positives.
Of course, you can always contact the VRChat Support team to get help with any issues.
I thought VRChat was working with mod creators?
A little over a year ago, we announced that we’d be opening lines of communication with some mod creators.
We did this! We spent time speaking with several modified client creators and got some feedback and insights that they had from their unique position. Much like the feedback you provide via our Feedback boards, much of that conversation fed into our production process.
As a result, we’ve been implementing features and additions into VRChat that had demand demonstrated by the creation of modifications. Several recent systems like OSC and Avatar Dynamics were influenced by these discussions. Of course, we’re far from done with this – we’ve got more on the way.
Does this prevent people from playing VRChat on platforms like SteamOS on the Steam Deck? What about Linux via Proton?
No, we’ve tested this! EAC works fine on these platforms. Thanks to Valve and the Proton team for all their hard work.
For press or media inquiries, please contact press@vrchat.com
We’re hiring! Check out open positions on our site