by

Login under someone else’s Minecraft account

There’s this interesting exploit in Minecraft that lets you login under someone’s name without ever needing to know the person’s password. All the attacker needs to do is get you to join his/her server once. This client-side fix patches your game so that it won’t let your server tell you to authenticate against a “blank” server ID. Lymia and I reported it to Mojang a while ago, and while Jeb just put a fix in 1.8, there’s a mistake with the fix. You can download a ZIP to install it like any other mod (put the files into minecraft.jar), or Windows users can use the setup program to automatically install the fix:

A server-side fix has recently made it into a Bukkit, but your account can still be abused to join unpatched servers. This client-side patch prevents any server from exploiting your account. To understand how the exploit works, here’s a review of how Minecraft would authenticate for “Frank”:

  1. Client->Server: Your game tells the server that it wants to join as “Frank”
  2. Server->Client: The server responds with the ID “afe93b31c” (randomized)
  3. Your game tells Minecraft.net that “Frank” is joining “afe93b31c”
  4. Client->Server: The client tells the server that it’s ready
  5. The server asks Minecraft.net to see if “Frank” has joined “afe93b31c” (if not, then the real Frank never joined the server)

Here’s how the exploit works: You get your victim to join your custom server that sends a blank ID. Frank’s game tells Minecraft.net that Frank is joining “” (a blank ID). Frank joins your server, plays around, and has no clue about what’s going on. You then join Frank’s server where Frank is an administrator, but you immediately skip to step #4: You tell the server that you already did step #3 and you get in. Why does this work? On the server, the server ID is blank if you never complete step 1, so in step #5, Frank’s server asks Minecraft.net if “Frank” has joined “”, which Frank did earlier but on your server.

From a more technical perspective, the hacked client never sends the initial handshake packet. The server ID starts out as a blank string, and it’s only initialized if you send the handshake packet. If you skip the handshake packet and just jump to the login packet, then the server ID stays as a blank string. Before 1.8, your client would freely accept a blank server ID. 1.8 prevents a server from giving you a blank server ID, but Lymia noticed that the game doesn’t URL-escape the server ID, so a server ID of “&” is essentially blank. The patch makes the routine URL-escapes the ID.

Addendum: Someone mentioned a “man-in-the-middle” attack that allows for name spoofing, but that’s a different issue that can only be fixed with significant changes to how Minecraft handles authentication. (A MITM is also more difficult to pull off well.)

  • Ben

    Pretty cool stuff here :P

  • http://www.crazycowgaming.net RandomGuy

    Even more reason to only join bukkit servers.

    • sk89q

      Joining a Bukkit server can still let someone else join as you on a non-Bukkit server.

  • Wug

    I actually just implemented the man in the middle attack for science. I’m not going to explain it or divulge source or binaries, but I can tell you it works on all servers, bukkit included, online mode included.

    • layne

      shus your mouth

  • AlphaViroid

    I installed it, and now Buildcraft/Industrialcraft won’t load.
    I backed the bin up and put that in and they still wont load.
    Too Many Items works.

    Help would be appreciated. Loading those mods was a pain in the shebs…

    • sk89q

      My friend, lahwran, made a better patch that conflicts less. I’ll have to look for it and get back to you.

  • Anonymous

    where can i get the exploit to investigate?

    • Derp

      ^ Fail ^

  • Anonymous

    Is this patched in 1.0?

    • sk89q

      Indeed it is.

      • M

        recently, i noticed some people using my account to get my op permissions.
        yes, you can ipban them, use auth plugins but its really frustrating.

        And more importantly, this happens in 1.0

        • sk89q

          It would be a different issue then, but this one is fixed.

  • ben

    do you have a mine craft account can you tell me your password and user name i can hep you make stuff

    • Anonymous

      You are very retarded.

      • Jake

        INDEEEEEEEEED!

    • domdomegg

      RETARD ALERT!

      • mxbc

        bitch

  • random name

    can someone please give me there acount for minecraft!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    • Anonymous

      Sure. Kno2tkiller is user and Cody is pass

  • http://MineCraft BIG WEEVIL

    This game is opti as hell!!!

  • monster

    GIVE ME COOKIES!!!!!

  • exployta

    stupid admin

  • joeseph

    how do i get the account?

  • Hitler

    I LIKE POOOOOOOOOOP!!!!!!!!!!!!!!!!!!!!!!!!!

  • kroo173

    poooooooooooooooooooooooooooooooooooooooooooooooooooooooooooop

  • kroo173

    fuck u guys

  • kroo173

    im awesome and i know it bam

  • kroo173

    im awesome
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwweeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeessssssssssssssssssssssssssssssssooooooooooooooooooooooooooooommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  • lil hitler

    i need a account for fu**ing minecraft!!!!!!!!!!

  • LOLER

  • Timmy

    I NEED A MINECRAFT ACCOUNT!!!!!

  • Joseph l

    I want to play minecraft free with a down load

  • Joseph

    please state how

  • Joseph

    what the fuck

  • Joseph

    Hitler has gone nuts

  • Joseph

    I want to play minecraft free with no downloads

  • CaptainSparklez

    coolio

  • Steven

    Here is a better name changer http://www.mediafire.com/?dtzojc7fwz9hcgz

  • http://www.facebook.com/dylan.phillips.581 Dylan Phillips

    wher is my free acount!!!

  • http://www.facebook.com/dylan.phillips.581 Dylan Phillips

    i hope you can log in somone elses facebook acount on this

  • http://www.facebook.com/dylan.phillips.581 Dylan Phillips

    lol

  • http://www.facebook.com/dylan.phillips.581 Dylan Phillips

    yep

  • Rachel

    who wants an account

    • Give me

      Me

  • Rachel

    i have one

  • Rachel

    the user wont work online
    heres the user:pipola
    pass:pipola theres a account but might not work online kk happy

  • layne

    ow cookis

  • greenlink1999

    i got a esyer whay just tipe in minecraft loncher by AnjoCaido

  • Themaxlepro

    fake

  • Ethan

    i really want somones user name and password! please!!

  • Not an expert

    What the fuck w.e I’ll stick to basic technology .-.

  • Anthoy

    I got Black screen

  • John

    really complicated

  • Lee Lo Mei

    dt

  • Lee Lo Mei

    dh

  • compupower

    It is back again. Someone hacked my server the same way today.

  • BigBadwolf123

    This is awesome