[orsond]

> More importantly could it be possible for a modified client or server to 'spoof' reports against an arbitrary user to 'frame' them? Disturbing possibilities here.

Yes, the developers of Nodus have demonstrated this over and over again that they can spoof messages.

https://www.youtube.com/watch?v=Pz5iGzuNnNU

[rcxdude]

Sort of. (I think you know this but I'm adding context for others unaware of how the system works). The design intent of the chat reporting system is that chat messages are signed by the client with a key associated with the account, so that you can't just conjure up a message of someone saying a slur and send it to microsoft. Someone has to have actually typed something for it to appear in the report. So far I don't think anyone has demonstrated spoofing a message signed by someone else which they didn't actually write (which I think is what OP was asking).

Of course just have the message with no context is not enough to go on in a lot of cases, so they also made a system to try to have a verifiable chain of context to go with the offending message. This is what the system above is exploiting, since it basically allows a malicious actor to have one message appear in the chat reports but another appear to the player (which is also spoofing a message), allowing manipulation of the context of the message and thus a false report that appears legitimate as far as Microsoft can verify.

There's a relatively simple but limiting way to avoid this: just never say anything in chat. It's also possible to mod the client to never sign messages (and the server to strip signatures from message), but this may result in your chats being dropped by some clients and servers (I think it's an option, not sure if the default has changed to on).