NOTE TO ALL SERVER OWNERS: DON'T BE FOOLED

[1cec0ld]

Watch JeremyJr.

Minecrafts authentication protocol is completely broken. I'll try to give a simple explaination:

When a server is in online-mode=true, it will force players that try to connect to solve a little challenge to prove that they own the username that they want to use on the server. That challenge is:

Server: "Dear user, take this random number and upload it under your username to the minecraft.net servers. If you can do that, then you clearly are the owner of that username and I'll let you log in."

What the attacker does:

At the same time that you start to connect to the attackers minecraft server (A), he will start to connect with your username to another server (B). Now (B) will give the attacker the above challenge, which the attacker can't solve (he can't upload stuff to minecraft.net in your name). But the attacker is clever and just forwards the challenge to you, behaving as if it is the challenge of his own server (A). You will be able to solve it and happily upload the random number to minecraft.net, thinking it grants you access to (A), while in fact it grants the attacker access to (B).

This scheme is not identifyable by the user! All you will see is a normal minecraft server in online-mode=true that gives you a normal challenge that you normally solve).

This scheme is not identifyable by the attacked server! All that server sees is a user (the attacker) normally trying to login with a specific username. The server challenge that user as usual, and the user is able to normally solve the challenge. Therefore it is normally accepted onto the server.

Minecraft's authentication scheme is therefore completely broken and can't be trusted. I heavily recommend runnning xAuth or a similar plugin to protect your users from this form of takeover. and especially your ADMIN AND MODERATOR ACCOUNTS.

xAuth is outdated as far as I can see, but be aware anyways.

[~Ali~]

Wow, anyone can be a hacker. I'll keep my eye out for them, and report If I find anything.

[1cec0ld]

The moral is simply to trust a server before you join it. It's that simple.

Further digging showed JeremyJr2 on a list of banned TeamAvo Members.

[Tenebrae]

I did not understand a thing...

[Tactic]

I understood it. And I will also look out for anymore of these people until xAuth is updated.

[~Ali~]

The moral is simply to trust a server before you join it. It's that simple.

Further digging showed JeremyJr2 on a list of banned TeamAvo Members.

He's from TeamAvO?
Oh damn, good you banned him while you did.

[1cec0ld]

I did not understand a thing...

* 1cec0ld Hey youre an op here? Join my server pl0x?

/you ok.     

* 1cec0ld (now im going to log in here with your name so I can hack  )

* 1cec0ld I need your random number so mc.net thinks its you. But youre logging in to my server so now I know what it is. *sent*

/server access granted, you are now op because youre pretending to be another person.*
/server sux to be that guy on your server being impersonated now  *

[galSrKn]

Good you banned him. But I have no idea what that team is that you are talking about, can someone explain it to me?

[Rigby]

Pretty much, if you join a server, they can join as you on a different server at the same time you login to theirs.

[galSrKn]

So they are some famous hacker huh? We have to watch out! But 1ce how did you know he tried to hack, maybe he really had that problem?

[Rigby]

"People that are ops or owners on other servers" Other servers have no effect on a single server.

[galSrKn]

That makes more sense.

[Tenebrae]

i still don't understand how they can log in as you on another server without your password..

[1cec0ld]

But 1ce how did you know he tried to hack, maybe he really had that problem?

Further digging showed JeremyJr2 on a list of banned TeamAvo Members.

I always confirm my bans if it's under a simple suspicion.

[ArchieSalt]

Im still confused although i have no doubt you did the right thing