Lately I ended up watching one of the most ridiculous little security-related messes I’ve seen on QQ.
I was hanging out in a hacker chat group when someone dropped a one-click join link for a QQ group from who-knows-where. The moment I saw it, I recognized the mechanism. I’d previously applied to Tencent for that exact kind of link through a friend’s qualifications, but after it got shared around too much, Tencent revoked it on the grounds of abuse.
The target group was called 打洲社-清华大学. “Tsinghua University”? My first assumption was that it was probably another fake-looking name someone had set up to show off or siphon traffic.
So a few of us tried the link for fun, and before long it started spreading. The behavior was simple and kind of alarming: anyone who opened the link inside QQ could join the group directly. It even bypassed the setting that was supposed to block all join requests entirely, because it was using a special interface.
Then things escalated.
Some people started causing trouble in the group. I have no idea whether the link spread into some trolling circles or what, but part of the chat ended up looking like this:
That “internet colander” atmosphere didn’t last long before one of the members finally tagged a group admin.
I got kicked shortly after that, and they turned on the setting that disallowed anyone from joining. At that point, though, they still hadn’t realized how bad the situation actually was.
This should have been the end of it. Instead, it turned into the most amateur-hour moment possible.
Guess how we got back in?
That’s right: I rejoined.
To be honest, I barely paid attention to that group in the first place. I only found out I’d been kicked because people in the hacker chat mentioned what was happening over there. Naturally, I got curious and went back in to see the chaos for myself.
That said, the one-click link couldn’t override a proper “kicked and banned from rejoining” state. But in a situation like that, banning specific people wasn’t easy either. When random users keep pouring in, you can’t even tell who belongs there and who doesn’t. If you just start mass-banning everyone, that’s basically a denial-of-service attack against your own group.
I only intended to lurk and watch the drama unfold. I wasn’t planning to say anything.
But the scene was too funny not to comment on:
“Are there hackers?” That line absolutely killed me.
And I do have something to say about the final line there. Since I’d successfully applied for this kind of one-click group link before, I know exactly how it works: as long as you have a QQ account, you can click it and join. Unless the account is blocked, maybe, but for ordinary users it just works.
So how did outsiders get a link that was supposedly meant for a strictly identity-verified event?
Don’t underestimate what people will dig up once something is exposed on the public internet. I’ve never played Delta Force and I didn’t inspect the event firsthand, so I can’t say exactly how this link surfaced. But if a page is accessible online, people will poke through it from top to bottom. Maybe someone scraped it while inspecting the event page. That’s only speculation, of course. Reality may have been different. Still, compared to that, the odds of the link leaking only through manually verified participants felt lower to me.
Once the admins realized the group had become unmanageable, they switched to full-group mute.
That was the moment I finally understood this was not some fake group using a prestigious name. It was actually a real group associated with Tsinghua University. I’ve seen plenty of fake groups online; this was the first time I’d stumbled into the real thing.
Also, the person getting cursed at in that screenshot wasn’t me. It was another user with a blank display name. Blank names really do have their downsides.
A little later, the full-group mute was lifted again:
By then, the admin was clearly losing it. After that, the group kept going back into full-group mute, and it was still in that state when I was writing this. Honestly, fair enough. Put anyone in charge of a group full of troublemakers—some real members, some not, impossible to distinguish cleanly—and they’d crack too.
That’s why all the screenshots from that stretch show the “everyone muted” status.
At that point, the story seemed like it was winding down.
Then came another update.
I got kicked again, and the one-click join link stopped working. It started showing “no more group chats.” Since they had already turned on the “no one can join” setting, it looked like they had finally sealed things off properly. People outside the approved channels could no longer enter.
That should have been the end of it.
Then somehow it got even dumber.
The link started working again.
I wish I were making that up.
What made it even funnier was that among the people joining, four were actually on my friends list: Yunmengze, Chibang, Renji, and kun.
All of them, apparently, “joined normally.”
At that point all I could think was: Tencent, what exactly are you doing?
I had assumed that once a leaked link was disabled, the problem was basically handled—maybe not perfectly, but at least contained. What I did not expect was that the link would apparently be shut off for a while and then re-enabled.
It really felt like one platform-level move had backstabbed everyone involved.
The funniest part was Yunmengze answering “yes.” It completed the logic loop perfectly. And then there was the line “bro, hi, I’m back,” which was so ridiculous I had to stop and laugh.
As for Aoi, if that name sounds familiar, it was one of the people appearing repeatedly in the earlier chat logs and was probably on the same side as the group admin.
After that, things slid right back to the previous state. If the old link started spreading widely again, I can only imagine how chaotic it would become. Luckily, it didn’t seem to get a huge second wave of distribution, partly because newer messages had already pushed the old one out of view.
The admin, lzy_de1ight, still didn’t want to believe the original problem had returned when I pointed out that the link was working again. Instead, he said something uncertain along the lines of, “This time it should be a normal join, right?” It really came across like someone unwilling to accept how unreliable the platform he trusted actually was.
So Yunmengze ended up helping preserve that version of reality with a simple “yes,” just enough to grant some appearance of legitimacy inside the group.
At that point the whole thing had become more interesting than before, and it felt like it might keep developing.
The bigger issue, though, is that this design always looked abuse-prone to begin with.
It behaves almost like a new-style internet worm: highly shareable, hard to contain once loose, and extremely dependent on platform-side controls being perfect. This kind of thing had already flared up once before. Tencent only got it under control after reclaiming the permissions and imposing a much stricter threshold—things like requiring applicants to be actual game companies with software copyrights, an app already listed in an app store, and a product that was genuinely playable.
Even back then I kept thinking: what if someone just copied someone else’s link and passed it around? Packet capture isn’t difficult, and in this case it was an HTTP packet on top of that. Sure enough, the boomerang came right back.
So yes, the problem starts with the design itself. A group-join action—something that writes data and changes state—being handled through a GET request is already questionable from a security standpoint. If it were up to me, the safer pattern would be to let a designated event page use POST to request a one-click join link that is valid only once, and if unused after retrieval, expires and is destroyed quickly. That would align much better with the principle of least privilege while still not breaking the business flow.
Because as it stands, the platform design invites misuse.
And the updates still weren’t over.
Things got ridiculous again:
Then the whole group was muted yet again.
Muting individual users was obviously pointless. Someone could just leave and re-enter through the same link. That’s what made the whole situation so baffling: if the link was the root of the problem, why was it still being allowed to remain usable at all?
And that’s where it stood—an invite mechanism that kept reopening the door, admins reduced to emergency full-group mutes, and a supposedly restricted university group repeatedly getting walked into through a link that should never have been this reusable in the first place.