Uploaded image for project: 'Minecraft: Java Edition'
  1. Minecraft: Java Edition
  2. MC-253697

server ban

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • None
    • 1.19.1 Release Candidate 1
    • None
    • Unconfirmed
    • (Unassigned)

      This is a vulnerability that can block an account.

      Remember the activation lock vulnerability in 2013ios7?

      Now minecraft has the same vulnerability.

      As you can see from the anti obfuscation code (not what I did), you added a method to generate signatures in 1.19.

      And the UUID, sending time and sending content are passed in.

      Then, upload it to your server to judge violations.

      Finally, it is forbidden according to UUID

      Attackers can hijack and replace UUIDs with mod, which is simpler than ios7 activation lock vulnerability.

      Because everyone's UUID can be searched using namemc.

      The solution I came up with:

      1. check UUID before each speech

      2. cancel the reporting function

      3. temporarily close API

            Unassigned Unassigned
            wangjinyi wangjinyi
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: