Security vulnerability allowing account spoofing

There’s this interesting exploit in Minecraft that lets you login under someone’s name without ever needing to know the person’s password. All the attacker needs to do is get you to join his/her server once. This client-side fix patches your game so that it won’t let your server tell you to authenticate against a “blank” server ID. Lymia and I reported it to Mojang a while ago, and while Jeb just put a fix in 1.8, there’s a mistake with the fix. You can download a ZIP to install it like any other mod (put the files into minecraft.jar), or Windows users can use the setup program to automatically install the fix:

A server-side fix has recently made it into a Bukkit, but your account can still be abused to join unpatched servers. This client-side patch prevents any server from exploiting your account. To understand how the exploit works, here’s a review of how Minecraft would authenticate for “Frank”:


  1. Client->Server: Your game tells the server that it wants to join as “Frank”
  2. Server->Client: The server responds with the ID “afe93b31c” (randomized)
  3. Your game tells that “Frank” is joining “afe93b31c”
  4. Client->Server: The client tells the server that it’s ready
  5. The server asks to see if “Frank” has joined “afe93b31c” (if not, then the real Frank never joined the server)

Here’s how the exploit works: You get your victim to join your custom server that sends a blank ID. Frank’s game tells that Frank is joining “” (a blank ID). Frank joins your server, plays around, and has no clue about what’s going on. You then join Frank’s server where Frank is an administrator, but you immediately skip to step #4: You tell the server that you already did step #3 and you get in. Why does this work? On the server, the server ID is blank if you never complete step 1, so in step #5, Frank’s server asks if “Frank” has joined “”, which Frank did earlier but on your server.

From a more technical perspective, the hacked client never sends the initial handshake packet. The server ID starts out as a blank string, and it’s only initialized if you send the handshake packet. If you skip the handshake packet and just jump to the login packet, then the server ID stays as a blank string. Before 1.8, your client would freely accept a blank server ID. 1.8 prevents a server from giving you a blank server ID, but Lymia noticed that the game doesn’t URL-escape the server ID, so a server ID of “&” is essentially blank. The patch makes the routine URL-escapes the ID.

Addendum: Someone mentioned a “man-in-the-middle” attack that allows for name spoofing, but that’s a different issue that can only be fixed with significant changes to how Minecraft handles authentication. (A MITM is also more difficult to pull off well.)

  • Ben

    Pretty cool stuff here :P

  • RandomGuy

    Even more reason to only join bukkit servers.

    • sk89q

      Joining a Bukkit server can still let someone else join as you on a non-Bukkit server.

  • Wug

    I actually just implemented the man in the middle attack for science. I’m not going to explain it or divulge source or binaries, but I can tell you it works on all servers, bukkit included, online mode included.

    • layne

      shus your mouth

  • AlphaViroid

    I installed it, and now Buildcraft/Industrialcraft won’t load.
    I backed the bin up and put that in and they still wont load.
    Too Many Items works.

    Help would be appreciated. Loading those mods was a pain in the shebs…

    • sk89q

      My friend, lahwran, made a better patch that conflicts less. I’ll have to look for it and get back to you.

  • Anonymous

    where can i get the exploit to investigate?

    • Derp

      ^ Fail ^

  • Anonymous

    Is this patched in 1.0?

    • sk89q

      Indeed it is.

      • M

        recently, i noticed some people using my account to get my op permissions.
        yes, you can ipban them, use auth plugins but its really frustrating.

        And more importantly, this happens in 1.0

        • sk89q

          It would be a different issue then, but this one is fixed.

  • ben

    do you have a mine craft account can you tell me your password and user name i can hep you make stuff

    • Anonymous

      You are very retarded.

      • Jake


    • domdomegg


      • mxbc


  • random name

    can someone please give me there acount for minecraft!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    • Anonymous

      Sure. Kno2tkiller is user and Cody is pass

  • http://MineCraft BIG WEEVIL

    This game is opti as hell!!!

  • monster


  • exployta

    stupid admin

  • joeseph

    how do i get the account?

  • Hitler

    I LIKE POOOOOOOOOOP!!!!!!!!!!!!!!!!!!!!!!!!!

  • kroo173


  • kroo173

    fuck u guys

  • kroo173

    im awesome and i know it bam

  • kroo173

    im awesome

  • lil hitler

    i need a account for fu**ing minecraft!!!!!!!!!!


  • Timmy


  • Joseph l

    I want to play minecraft free with a down load

  • Joseph

    please state how

  • Joseph

    what the fuck

  • Joseph

    Hitler has gone nuts

  • Joseph

    I want to play minecraft free with no downloads

  • CaptainSparklez


  • Steven

    Here is a better name changer

  • Dylan Phillips

    wher is my free acount!!!

  • Dylan Phillips

    i hope you can log in somone elses facebook acount on this

  • Dylan Phillips


  • Dylan Phillips


  • Rachel

    who wants an account

    • Give me


    • amanda

      i do Rachel i want a minecraft account username and password

  • Rachel

    i have one

  • Rachel

    the user wont work online
    heres the user:pipola
    pass:pipola theres a account but might not work online kk happy

  • layne

    ow cookis

  • greenlink1999

    i got a esyer whay just tipe in minecraft loncher by AnjoCaido

  • Themaxlepro


  • Ethan

    i really want somones user name and password! please!!

  • Not an expert

    What the fuck w.e I’ll stick to basic technology .-.

  • Anthoy

    I got Black screen

  • John

    really complicated

  • Lee Lo Mei


  • Lee Lo Mei


  • compupower

    It is back again. Someone hacked my server the same way today.

  • BigBadwolf123

    This is awesome

  • claire

    can someone help me how to get into a minecraft server if you don’t have a passoword if someone know can you help me plz

  • oioioioioioioioi

    Does it work?

  • jim

    dont work

  • killasucka

    i don’t get it

  • Guest