Jump to content

  • Curse Sites
Become a Premium Member! Help
Latest News Article

[1.8.1] Exploit fix - Login under someone else’s Minecraft account


  • Please log in to reply
46 replies to this topic

#1

sk89q
    sk89q

    Gold Miner

  • Curse Premium
  • Curse Premium
  • 474 posts

Posted 17 September 2011 - 02:29 AM

Note: If you don't play SMP then you don't need to care.

I've been told that people keep reporting this thread, SO here's some links:
Post from CyborgDragon (moderator)
Post from Muserae (moderator)

There's an exploit in Minecraft that lets you login under someone's name without ever needing to know the person's password. All the attacker needs to do is get you to join his/her server once, and s/he can use your account for hours, days, possibly weeks afterwards. This client-side fix patches your game so that it won't let your server tell you to authenticate against a "blank" server ID. You can download a ZIP to install it like any other mod (put the files into minecraft.jar), or Windows users can use the setup program to automatically install the fix.

Name spoof fix for 1.8.1 (ZIP):
Posted Image minecraft-spoof-fix-1.8.1.zip

Name spoof fix installer for 1.8.1 (Windows installer):
Posted Image minecraft-spoof-fix-1.8.1.exe (affects wt.class)

Lymia and I reported it to Mojang a while ago, and 1.8 now has a fix but there's still another way to exploit it. You can find more details about the exploit here:
http://www.sk89q.com...oofing-exploit/

The patch does some basic detection of attempts at exploit:
Posted Image
I'm the author of WorldEdit, WorldGuard, WarmRoast, a custom MC launcher platform, and a few other things.
I've also been running a server since MC alpha:
Posted Image

Register or log in to remove.

#2

96zombies
  • Location: The Land of Chicken Wings (Western New York)
  • Minecraft: 96nazizombies

Posted 17 September 2011 - 02:32 AM

I've never heard of this

#3

Spider Jock
  • Location: In a cave fighting zombies
  • Minecraft: Glarkon

Posted 17 September 2011 - 02:33 AM

Going to have to delete this forum since you told people how to do it.

Posted Image


#4

sk89q
    sk89q

    Gold Miner

  • Curse Premium
  • Curse Premium
  • 474 posts

Posted 17 September 2011 - 02:36 AM

It's not that secret anymore, especially since the fix has appeared on the web as of a day ago.

We discovered it a while ago but we didn't mention a word to anyone because I was trying to get Jeb to fix it. He did, kind of, but he made a mistake so it's only half fixed. But now the cat's out of the bag, so...
I'm the author of WorldEdit, WorldGuard, WarmRoast, a custom MC launcher platform, and a few other things.
I've also been running a server since MC alpha:
Posted Image

#5

CGuangJun
  • Location: Here, yeah, right here.
  • Minecraft: CGuangJun

Posted 17 September 2011 - 02:55 AM

Lol, you people have no idea who you're talking to. Thanks, sk89q, for your patch.

#6

Pierron
    Pierron

    Obsidian Miner

  • Members
  • 1212 posts
  • Location: canada
  • Minecraft: burnteggoz
  • Xbox:burnteggoz

Posted 17 September 2011 - 03:10 AM

View PostTheNardCake, on 17 September 2011 - 02:33 AM, said:

Sounds like your trying to "spoof" us lol
this is not a spoof this guys pretty big on the bukkit forums so i highly doubt its a spoof

and if you read this sk89p when do you think bukkits going to be good to use on server again? along with worledit and guard
Posted Image

#7

Drislen
    Drislen

    Stone Miner

  • Members
  • 81 posts

Posted 17 September 2011 - 03:20 AM

Thanks for the info and the fix! :3

#8

sk89q
    sk89q

    Gold Miner

  • Curse Premium
  • Curse Premium
  • 474 posts

Posted 17 September 2011 - 04:54 AM

View Postburnteggoz, on 17 September 2011 - 03:10 AM, said:

this is not a spoof this guys pretty big on the bukkit forums so i highly doubt its a spoof

and if you read this sk89p when do you think bukkits going to be good to use on server again? along with worledit and guard

When the dust settles I suppose. I can't really give you an accurate time frame.
I'm the author of WorldEdit, WorldGuard, WarmRoast, a custom MC launcher platform, and a few other things.
I've also been running a server since MC alpha:
Posted Image

#9

kkabcd
    kkabcd

    Iron Miner

  • Members
  • 277 posts
  • Location: In Advanced Soldier rig
  • Minecraft: KKABCD

Posted 17 September 2011 - 05:43 AM

This will only prevented CRACKED AND I REPEAT CRACKED minecraft clients
Posted Image

#10

xTwilight3
  • Minecraft: xTwilight

Posted 17 September 2011 - 10:35 AM

Lovely fix. :)
Did my post help? Click the Posted Image on my post. It's 110% optional Popcorn smelting, old removed feature, new mod. :D

#11

NeonJ
    NeonJ

    Diamond Miner

  • Members
  • 864 posts

Posted 17 September 2011 - 10:46 AM

Wait, does this mean Bukkit has the fix built-in? Because I run a Bukkit server.
Posted Image The name's Cirom, a BLU KAG archer of awesome. Click the archer to join me in KAG!

#12

Official

Posted 17 September 2011 - 12:33 PM

sk89q,thanks very much for this patch, i never knew of this bug,but thankfully i found out befor i went on a SMP server
:)

Also,Im really intrested in joining your SMP server,if you can let me in/read my app i posted on your forum befor,
my post was under the name FrozenDiamonds

My IGN is FrozenDiamonds also
thanks again

#13

sternold

Posted 17 September 2011 - 12:47 PM

Can they steal your password? Because thats scary :X

#14

FrozenDiamonds

Posted 17 September 2011 - 12:59 PM

No,they can not steal your password,but they can login in as you without it untill the next update.
so download this patch and run it :),then your on the safe side ;)

#15

sternold

Posted 17 September 2011 - 02:22 PM

Why? What can they do with my name?

#16

Amber Tonerre

Posted 17 September 2011 - 02:38 PM

no one is logging into my acc if they do ill change the skin heh heh.....
Posted Image
RvsB forevar!!!

#17

builda1
    builda1

    Out of the Water

  • Members
  • 7 posts

Posted 17 September 2011 - 02:40 PM

casn take ur items if done properly.

#18

xSoul
    xSoul

    Redstone Miner

  • Members
  • 535 posts

Posted 17 September 2011 - 02:49 PM

Thanks for the info.

#19

The__Q
    The__Q

    Coal Miner

  • Members
  • 130 posts
  • Location: Underwater, Building random crap in minecraft
  • Minecraft: The__Q

Posted 17 September 2011 - 03:39 PM

Must bump! *bumps*


This needs to be implemented into vanilla minecraft
Posted Imageლ(ಠ益ಠლ

#20

sup3rp0w3rl3ss
  • Location: Germany

Posted 17 September 2011 - 03:39 PM

They don't have my password, so they can't login to minecraft.net right?
I have no problem with other people using my account on SMP servers, as long as they can't login to minecraft.net.