Exploit

Discussion in 'Bukkit Discussion' started by Joshuame13, Apr 13, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    Joshuame13

    Please do not disregard this. There has been a slew of WORKING ForceOp programs slushing around on HackForums! This IS NOT the password stealing program from 2010. This is a new exploit that WORKS(I have tried it myself.). Please do not disregard this. It works by making a fake server that when someone logs into, it forwards them to a real server and makes them say anything in chat, including /op [Your Username Here]. The software hosts a server on your computer. When an admin form a server logs on to your fake server, it gives them an error, but forwards them to their OWN server and uses that to make them say a message. THIS REALLY WORKS! All that the people have to do is convince any admin to join a fake server on your IP. Please make a post warning server admins not to go to servers that their users sent to them. PLEASE RESPOND.
    Thank you for reading, Joshua

    mod edit: title renamed, this is not a forceop.
     
  2. Offline

    mrlwiggy

    -Edit-

    Thanks for the headsup :)
     
  3. Offline

    Jacek

  4. Offline

    Vhab

    Again, not a force op exploit.
    Again, largely relies on social engineering.
     
  5. Offline

    Joshuame13

    Your're right that it is not a ForceOp. Either way, the end result is that someone can get op on your server without you opping them.
     
  6. Offline

    Vhab

    Then don't say it is.
    Additionally it heavily relies on targeted social engineering attacks for this exploit to work.
    It can not be employed en masse.

    Yes this issue needs to be fixed, but the severity doesn't need to be exaggerated.
     
  7. Some avo skid made it, just don't join any other server other than your own till some guy fixes it.
    Been seeing this 'forceop' thingy as well.
     
  8. Offline

    zipfe

    Exploit is hardly the right word for this.

    It's more like tricking admins and OPs onto a dubious server.

    Solution: If you have a powerful position on a server, don't use that account to join questionable servers.
     
  9. All you have to do is if you connect to a server that instantly kicks you then check your server console.

    Also I believe that the web devs at mojang are working on fixing this somehow.
     
  10. Offline

    woox2k

    Easy workaround for it is to use seperate plugin with oplist and ban all ops not in that list!
    or password confirmation on main op commands.... or best way, dont use minecraft ops and use only permission admins.
     
  11. Offline

    Jacek

    They could just as easily grand a player all permissions if you can do that in game.
     
  12. Offline

    woox2k

    Option 1 and 2 still stand :) <- personally i'm using first one
     
  13. Offline

    Jacek

    I would say the bet option is to not allow your admins to promote people in game and do that sort of thing from the console. Or just don't join servers people try to get you to in chat without deoping yourself first.
     
  14. Offline

    woox2k

    That is also true... but is it sure thing that Mojang people know about this exploit and are trying to fix it? Of course this isn't huge bug but it should be fixed (same with stolen accounts, but thats another topic)
     
  15. Offline

    Evenprime

    Nothing is easier than social engineering someone to visit you server.

    "I've seen you use plugin X here. I tried to set it up on my local server for a LAN party this weekend, but something doesn't work correctly. Do you have time to take a look? I'll also pay you 5 $ on Paypal if you can get it to work. I need it badly." <- over 90% of server owners/moderators or other personell will fall for this, guaranteed.

    Mojang should know about this for half an eternity already. Afaik it has been discovered and reported independently many times before. Maybe this time, now that it is also spreading as an easy to use exploit, it will finally get fixed. And if not, now at least server owners will know about it too and take precaucions (e.g. install xAuth or AuthMe).
     
  16. Offline

    Jacek

    Don't turn to the darkside, their cookies are a big lie !
     
  17. Offline

    woox2k

    These things should be no-go, they just make server users life bit more difficult just to help ops to deal with this issue.
    Too many server admins use these things and forget that servers are made for users, not for admins (in most cases)
     
  18. Offline

    Evenprime

    Well, the users can fall victim to this attack too. Think about a "Faction" server, one of the normal users is leader of a big faction. Now an attacker pulls of this exploit and makes the faction leader disband his faction. No logblock, hawkeye or other plugin will be able to undo that damage. So it is actually in the interest of the "normal" users too to have this kind of additional security. Or at least provide the option to have a password, make the auth security opt-in (not sure if any of the auth plugins allow that).
     
Thread Status:
Not open for further replies.

Share This Page