I thought I'd post some preliminary info to help you all out, although I can't guarantee this is how this works and its use is too limited to really justify hiding it or looking into it deeply.
The exploit works by confusing the server about who exactly is logging in. You tell the server your name, and it checks that name with the MC auth servers (which are going to say YES, good login). But as the server is waiting for the auth servers to reply, you send a new username. Your login username takes on the new username, but the server still waits for a YES from the first time you updated your username.
The tricky part is, of course, that the window (while MC is waiting for an auth server reply) is very small. Laggy servers make this effect even worse, as the schedule of the login is going to vary widly. Maybe 300ms is enough a delay one time, but 600ms is needed the next. You need a consistent server to pull this off. My localhost is 50-75ms but with login processing, ping, server mods, plugins, bukkit, and plain ol' variance across a network, who knows when the perfect time is. Probably 250ms to 450ms. Anything outside that is a little sketchy. If the same delay commonly results in two different error messages, that's a very bad sign. Even on a very consistent server, you are running on getting lucky as much as it is a hunch.
The different error messages you can get help profile exactly how well your delay is working out -- too fast, too slow. But come on, you have access to the bukkit src and the mc src, you should figure that part out by yourself. Chances are it won't help much anyway.
Bukkit has/will have a patch for it soon, so major servers are not vunerable. Minor servers are laggy, so they're not very vunerable either. I've gotten this to work on one server outside of localhost, perhaps if someone is more successful they'll shed some light on that.
A note of discouragement from md_5, who helped explore/fix this:
Originally Posted by
md_5
During testing we found it was possible to replicate this exploit on a Spigot (versions 1082-1089) with a success rate of above 10%, while on vanilla/CraftBukkit servers the current exploit code had a success rate of less than 1%.
So the bukkit patch brings it down from 1 to 0% I'd suspect.