There Will Never Be a Minecraft Exploit This Powerful AGAIN.

Players manage to bypass your servers spawn protection. What do they do with this newfound incredible power? Dig straight down

slm_

That ending took it from "Yeah this is powerful, but unless you're careful it can always be rolled back" to "Holy hell, this is a _deadly_ exploit."

catchara

It confuses me how it took so long for anyone to find this. Yeah, not everyone is going to think "maybe if I rename this chest to the name of a server UI chest, it will give me that UI, " but the process is so simple in hindsight that I'm surprised that it wasn't tested sooner.

Legoguy

"what i dont like is unethical gambling" then proceeds to blow the server the fuck up in retaliation (w)

walter.jr.whar.

“Once in a decade exploit”
*remembers log4j error, a Java exploit that allows you to run code remotely on any computer through a string value, something far more powerful than a simple /op*

musclechicken

As a professional developer who used to create hacked clients for Minecraft (this was 5 years ago at this point though), I can very much say this: It isn't impossible to find exploits like this, and if people with genuine cyber security backgrounds where to look at Minecraft, they could likely exploit it within the same week, it's just that they have better things to do than stare at a block game.

whalemail

A scale so large, it won't happen again

HedgeRobo

"If you reinforce a door by making it impossible to break down they'll just destroy the door frame"

A-mona

Today's Fact: In 2020, researchers used quantum entanglement to teleport information between two chips in a silicon-based system, a major step forward for quantum computing.

FacterinoCommenterino

16:28 “this isn’t the most powerful forceop exploit ever, this is the only forceop exploit ever”
We just gonna pretend bungeespoofing doesn’t exist

flash_gang

this is... a very, very old and basic oversight that has been done (and will be done) by many plugin developers that want to use chest GUIs until bukkit/paper/whatever implement a standardised solution.
ofcourse it's hardcore that this has happened to a big anticheat plugin and there's no checks whatsoever after opening the menu, but the ground principle of "opening renamed chest to get to GUI" has been around for a long while

SaschahiGG

27:52 "Everyone's owner", now that is what I'd call an anarchy server

luketurner

I recently found a 1.7 dupe:
1. Lock a hopper.
2. Open your inventory with e
3. Use q to drop items
4. Close your inventory
5. Right-click the hopper. This resets your inventory.
6. Go back to step 2. Repeat ad infinitum.

bennyl

In Insanity on 23:03, you actually got OP access. However, some permission plugins can override commands to use the permission system rather than op access. That's why you cannot use commands but can see spy messages, they configured that incorrectly so you can see.

EMREOYUN

Man, when you were describing the hierarchy, I had an idea: I make a server donation plugin, one that has a built in dupe exploit. One the server owners have to buy- in other words, the explicit purpose of the plugin is to gank P2W assholes.

ImFangzBro

Tbh the funniest thing that you could do is add /stop to random flag and make staff wonder what the hell is happening

snoer

I would like to provide some insight into this as I am an amateur server dev, and this exploit came from a very large oversight.
So server chest guis work by having inventories and using the event to detect when someone clicks an item (as you described)

What likely happened here was that the developers of vulcan forgot to add proper item checks to what they were clicking, so the server just assumed that they had permissions. Yes, there should be permission checks there. However, it is (from what I've seen) standard practice to add checks to the item clicked such as it having lore (meaning the player couldn't have modified it to have that lore), so that you don't ever accidentally detect them clicking an item in their inventory.
The oversight of not adding permission checks isn't as egregious as not having the proper item checks for the gui, as its the very first thing you HAVE to get right.

BusterBrown

at 28:33 that /save-all mustve felt SO GOOD hahahha

GttiqwT

I feel like your exploit scale is missing a tier, log4j was known as an RCE exploit, which should be far more powerful than forceop. For example, if multiple servers exist on a single machine, you'd only need to attack one. Or you could steal/modify sensitive data, or install malware/ransomware directly to their server hardware.

Kyle-fytb

This is so wild I'm writing a college level security report on CWE-94, I'm going to source this video as an example of injection code as it is loosely related to it! Great video!

jasonkulinski