Latest News Article

[sk89q]

Note: If you don't play SMP then you don't need to care.

I've been told that people keep reporting this thread, SO here's some links:
Post from CyborgDragon (moderator)
Post from Muserae (moderator)

There's an exploit in Minecraft that lets you login under someone's name without ever needing to know the person's password. All the attacker needs to do is get you to join his/her server once, and s/he can use your account for hours, days, possibly weeks afterwards. This client-side fix patches your game so that it won't let your server tell you to authenticate against a "blank" server ID. You can download a ZIP to install it like any other mod (put the files into minecraft.jar), or Windows users can use the setup program to automatically install the fix.

Name spoof fix for 1.8.1 (ZIP):
minecraft-spoof-fix-1.8.1.zip

Name spoof fix installer for 1.8.1 (Windows installer):
minecraft-spoof-fix-1.8.1.exe (affects wt.class)

Lymia and I reported it to Mojang a while ago, and 1.8 now has a fix but there's still another way to exploit it. You can find more details about the exploit here:
http://www.sk89q.com...oofing-exploit/

The patch does some basic detection of attempts at exploit:

[96nazizombies]

I've never heard of this

[Spider Jock]

Going to have to delete this forum since you told people how to do it.

[sk89q]

It's not that secret anymore, especially since the fix has appeared on the web as of a day ago.

We discovered it a while ago but we didn't mention a word to anyone because I was trying to get Jeb to fix it. He did, kind of, but he made a mistake so it's only half fixed. But now the cat's out of the bag, so...

[CGuangJun]

Lol, you people have no idea who you're talking to. Thanks, sk89q, for your patch.

[Pierron]

TheNardCake, on 17 September 2011 - 02:33 AM, said:

Sounds like your trying to "spoof" us lol

this is not a spoof this guys pretty big on the bukkit forums so i highly doubt its a spoof

and if you read this sk89p when do you think bukkits going to be good to use on server again? along with worledit and guard

[Drislen]

Thanks for the info and the fix! :3

[sk89q]

burnteggoz, on 17 September 2011 - 03:10 AM, said:

this is not a spoof this guys pretty big on the bukkit forums so i highly doubt its a spoof

and if you read this sk89p when do you think bukkits going to be good to use on server again? along with worledit and guard

When the dust settles I suppose. I can't really give you an accurate time frame.

[kkabcd]

This will only prevented CRACKED AND I REPEAT CRACKED minecraft clients

[xTwilight3]

Lovely fix.

[NeonJ]

Wait, does this mean Bukkit has the fix built-in? Because I run a Bukkit server.

[Official]

sk89q,thanks very much for this patch, i never knew of this bug,but thankfully i found out befor i went on a SMP server


Also,Im really intrested in joining your SMP server,if you can let me in/read my app i posted on your forum befor,
my post was under the name FrozenDiamonds

My IGN is FrozenDiamonds also
thanks again

[sternold]

Can they steal your password? Because thats scary :X

[FrozenDiamonds]

No,they can not steal your password,but they can login in as you without it untill the next update.
so download this patch and run it ,then your on the safe side

[sternold]

Why? What can they do with my name?

[Amber Tonerre]

no one is logging into my acc if they do ill change the skin heh heh.....

[builda1]

casn take ur items if done properly.

[xSoul]

Thanks for the info.

[The__Q]

Must bump! *bumps*


This needs to be implemented into vanilla minecraft

[sup3rp0w3rl3ss]

They don't have my password, so they can't login to minecraft.net right?
I have no problem with other people using my account on SMP servers, as long as they can't login to minecraft.net.