Thought this might be of interest to some people...

[alex22808]

Auth bug in two recent Spigot builds - upgrade now! : admincraft

could be very useful if someone can find out how its done supposedly, you can login to a server as someone else if done right ie the owner :P

[LordPankake]

Already did it on a few. The key thing is timing and on each server the time is different due to connection speed.

---

I thought I'd post some preliminary info to help you all out, although I can't guarantee this is how this works and its use is too limited to really justify hiding it or looking into it deeply.

The exploit works by confusing the server about who exactly is logging in. You tell the server your name, and it checks that name with the MC auth servers (which are going to say YES, good login). But as the server is waiting for the auth servers to reply, you send a new username. Your login username takes on the new username, but the server still waits for a YES from the first time you updated your username.
The tricky part is, of course, that the window (while MC is waiting for an auth server reply) is very small. Laggy servers make this effect even worse, as the schedule of the login is going to vary widly. Maybe 300ms is enough a delay one time, but 600ms is needed the next. You need a consistent server to pull this off. My localhost is 50-75ms but with login processing, ping, server mods, plugins, bukkit, and plain ol' variance across a network, who knows when the perfect time is. Probably 250ms to 450ms. Anything outside that is a little sketchy. If the same delay commonly results in two different error messages, that's a very bad sign. Even on a very consistent server, you are running on getting lucky as much as it is a hunch.
The different error messages you can get help profile exactly how well your delay is working out -- too fast, too slow. But come on, you have access to the bukkit src and the mc src, you should figure that part out by yourself. Chances are it won't help much anyway.

Bukkit has/will have a patch for it soon, so major servers are not vunerable. Minor servers are laggy, so they're not very vunerable either. I've gotten this to work on one server outside of localhost, perhaps if someone is more successful they'll shed some light on that.

A note of discouragement from md_5, who helped explore/fix this:

During testing we found it was possible to replicate this exploit on a Spigot (versions 1082-1089) with a success rate of above 10%, while on vanilla/CraftBukkit servers the current exploit code had a success rate of less than 1%.

So the bukkit patch brings it down from 1 to 0% I'd suspect.

[alex22808]

as a non-coder myself, any guidance you could give me would be great

[lucamasira]

How I think its done is that when you send a handshake to the server with your original credentials the server will ask some mojang stuff like joingame and such. In that delay send another handshake with other credentials. The server miw accept your previous handshake but uses your past handshake with the new fake credentials.
Too bored to code it tho hope I helped some people with this. i might be wrong tho about this

Wrote it on my phone

[alex22808]

any tips you could send my way as to how to go about it? many thanks

[newtoon]

How I think its done is that when you send a handshake to the server with your original credentials the server will ask some mojang stuff like joingame and such. In that delay send another handshake with other credentials. The server miw accept your previous handshake but uses your past handshake with the new fake credentials.

Thanks for explaining, I understand... but I have no idea how to code that. Has anyone gotten this working?

[lucamasira]

I guess you could send the handshake twice, search function in eclipse.

Not sure tho