There's an exploit in Minecraft that lets you login under someone's name without ever needing to know the person's password. All the attacker needs to do is get you to join his/her server once, and s/he can use your account for hours, days, possibly weeks afterwards. This client-side fix patches your game so that it won't let your server tell you to authenticate against a "blank" server ID. You can download a ZIP to install it like any other mod (put the files into minecraft.jar), or Windows users can use the setup program to automatically install the fix.
It's not that secret anymore, especially since the fix has appeared on the web as of a day ago.
We discovered it a while ago but we didn't mention a word to anyone because I was trying to get Jeb to fix it. He did, kind of, but he made a mistake so it's only half fixed. But now the cat's out of the bag, so...
I wouldn't want someone else logging into my account because they could go grief people and get my account banned from who knows what. If you never join any servers at all, then you are never at risk, however (the attacker has to get you to join his/her server once first).
If you have a patched server, then someone's account who has been exploited can't join your server. If you have a patch for the client, then someone can't exploit your account. If you only have a patched client, that means *your* account is safe, but then someone else's account can be exploited to join your server (if unpatched). Not sure if that made sense.
@Official: I haven't really been processing applications to my server for a while, but I might soon.
lol wth is this really there because that is scary I mean they can log into your acount just by your name lol that seriously has to be fixed. But um what if you are like careful you said they can only do that if you log onto their server right so as long as you stay away from people you dont know or trust you should be fine no?
Wow thank you, I saw this when first posted but was quite cautious, since I thought you were a complete stranger and then I saw your signature. Anyways thanks again for informing us!
Rollback Post to RevisionRollBack
Go check out some of my suggestions on my profile, in the about me tab!
You all should be worried about this. Not only can they get onto your servers as YOU, but then they can get you banned, and listed with MCBans...try getting on a server after 10-20 servers have been griefed under YOUR name, and your mcbans is at 0%
I've been told that people keep reporting this thread, SO here's some links:
Post from CyborgDragon (moderator)
Post from Muserae (moderator)
There's an exploit in Minecraft that lets you login under someone's name without ever needing to know the person's password. All the attacker needs to do is get you to join his/her server once, and s/he can use your account for hours, days, possibly weeks afterwards. This client-side fix patches your game so that it won't let your server tell you to authenticate against a "blank" server ID. You can download a ZIP to install it like any other mod (put the files into minecraft.jar), or Windows users can use the setup program to automatically install the fix.
Name spoof fix for 1.8.1 (ZIP):
minecraft-spoof-fix-1.8.1.zip
Name spoof fix installer for 1.8.1 (Windows installer):
minecraft-spoof-fix-1.8.1.exe (affects wt.class)
Lymia and I reported it to Mojang a while ago, and 1.8 now has a fix but there's still another way to exploit it. You can find more details about the exploit here:
http://www.sk89q.com/2011/09/minecraft-name-spoofing-exploit/
The patch does some basic detection of attempts at exploit:
Check out my Minecraft server.
And who are you, the proud lord said, that I must bow so low?
Only a cat of a different coat, that's all the truth I know.
In a coat of gold or a coat of red, a lion still has claws,
And mine are long and sharp, my lord, as long and sharp as yours.
And so he spoke, and so he spoke, that lord of Castamere,
But now the rains weep o'er his hall, with no one there to hear.
Yes now the rains weep o'er his hall, and not a soul to hear.
We discovered it a while ago but we didn't mention a word to anyone because I was trying to get Jeb to fix it. He did, kind of, but he made a mistake so it's only half fixed. But now the cat's out of the bag, so...
Check out my Minecraft server.
Support my mod!
this is not a spoof this guys pretty big on the bukkit forums so i highly doubt its a spoof
and if you read this sk89p when do you think bukkits going to be good to use on server again? along with worledit and guard
When the dust settles I suppose. I can't really give you an accurate time frame.
Check out my Minecraft server.
RvsB forevar!!!
This needs to be implemented into vanilla minecraft
If you have a patched server, then someone's account who has been exploited can't join your server. If you have a patch for the client, then someone can't exploit your account. If you only have a patched client, that means *your* account is safe, but then someone else's account can be exploited to join your server (if unpatched). Not sure if that made sense.
@Official: I haven't really been processing applications to my server for a while, but I might soon.
Check out my Minecraft server.
I might download this when I get the chance.