Just in case anybody wonders about disclosure timelines. Since reporting my issue, I have heard about a related issue reported in November. So there was plenty of time. But even if that wouldn’t have been the case, I still believe the issue is not really exploitable in practice. As I said in the video, even I wouldn’t prioritize fixing this issue :)

I love how you divide these videos up with gameplay, hacking and programming! Keep up the good work!

Laughed my head off and I'm not even 10 seconds in. The ilmango intro parody was AMAZING.

THANK YOU for explaining the implications of the account migration correctly. I've worked on the anticheat/antibot end in ~2016-18, and the amount of hacked accounts used for cheating and botting are way up in the multiple of millions. Bots auto joining the server, walking to some predetermined spots and spamming private messages to all online users with links/serverips, running for 24/7, while you are banning them every 30-60 second. Hackers just throwing tens or hundreds of accounts against the anticheat to try to figure out settings that it won't detect. The account migration came WAY too late IMO, looking at the madness from the peak times of Minecraft.

4:47 You can't obtain mending from an enchantment table as it is considered a treasure enchantment. 13:15 Abuse the 3 second invulnerbility after connecting to a server

A tip for the future: If you find your self farming ancient debris DON'T use TNT, use beds instead! Beds are way cheaper

"I almost got killed" *loses half a heart

In Minecraft 1.8 there really was a bug in the login system, Spigot had tracked the socket address of the connection in the login handler without checking whether the address is zero, you could then reset the IP to "zero" with a TCP reset and trigger a NullPointer in the main thread, this then led to the server closing immediately with "Server closed".

Amazing that you also found the same AES vulnerabilities that we found over the years just reading random game code, we don't believe this to be significantly exploitable as you have stated as sure you can modify packets but if you cause any malformed packet your basically done and it only lets you manipulate the stream but they do technically reuse IV and key (they also use the key as IV) between the server and client but in our limited experience with AES CFB you can probably only decrypt the first block but we are not entirely sure because we are not cryptographers but we determined this as something not exploitable in a significant way so we never reported it.

Love seeing ilmango in the description, since I was asking if you know him under your last video. Grüße gehen raus!

my cryptography teacher focused too much on math and I lost interest real quick due to the sheer complexity of all of the math AES uses, but the explanation for ECB and CFB was incredible! I never understood what my teacher was getting at and the diagrams didnt make sense to me (yet somehow I graduated this past spring lmao) but it now is clear. This series is awesome!

gotta say, the xray mod reminds me of good old TeamAvolition griefing videos back in 2011-2012 :) if i remember correctly they were one of the first ones to use/create hacked clients (correct me if im wrong)

I basically did the “Evil Server” thing a while ago to track stats and do other cool things like creating replays by recording the packets, I got around the Mojang auth server issue by creating a server that dosn’t auth with mojang and I did the auth server side (obviously I used my own account), alternatively you could use two accounts which was what I ended up doing after a while (mostly to get my skin although I discovered a way to get any skin by messing around with the respawn packet), by doing this I was able to read and modify packets, I even wrote some stuff to manipulate packets in python that was stupidly easy to use, basically you could use a decorator to filter packets (including the info inside the packet), I kinda want to revive the project now, it was a lot of fun and now I’m sure I can get around some of the issues I had at the time, the filter chugged if I had to deal with a lot of packages because I basically had no idea about data structures and big O lol.

4:40 you cant get mending at the enchantment table anyways, you must find it in a loot chest or trade with a villager, or fish in open water (no blocks around, nothing above the water)

I absolutely love this series.

I can't speak to the similarity of the exploit, but there was a similar attack used by Nodus Session Stealer almost 10 years ago. It doesn't work anymore of course, but this made me remember it :)

This was a great one! I love the though process and theory , implementation.

By the way, when you load the world back up, you have a small invincibility window.

That intro was the best crossover I've ever seen

I actually got banned from hypixel because someone hijacked my account, they also changed the password. Luckily I could reset it with my email. Definitely taught me a lesson😁

the ilmango intro, lmao

I love how the start is IlmangoOverflow! Love these videos keep up the good work!

I love this series, that intro is awesome hahaha

Not sure if you fixed this or not but with your Xray code you showed in your video it looks like you are rendering block faces that are occluded by other Xray blocks. Probably should check for that to increase performance, even though it shouldn't be super noticeable due to ore being infrequent, but its something to keep in mind.

7:14 On the topic of botting servers and using throwaway accounts, it's a pretty big issue for smaller servers (i would argue an even bigger issue) as well. I used to mod a minecraft server that has now shut down, and there were at least 10 different times where the server got botted that I know of (only played on the server for around a year, but there were definitely more than 10 from before). Our discord server also got botted multiple times (either accounts spamming channels or DMing everyone on the server with advertisements for other servers) because of how easy it is to make a discord account. It used to be pretty major, and I believe that migrating to Microsoft accounts would help a lot, but of course that wouldn't get rid of it entirely. EDIT: we also had a lot of cases where people would be hacking on throwaway accounts, on bigger servers like Hypixel there's a pretty big chance that the account is already banned since someone else already used it, but on smaller servers that chance is way lowered. Our rules were that you could have up to 5 different accounts linked (accounts get linked if their on the same ip) before you got IP banned, but only sr. mods could IP ban so us normal mods would end up having to ban people 10+ times until a sr mod got on.

Now THIS is the kind of hacking I was expecting from LiveOverflow! Great!

dude i love you. just handing out free education to anyone and including your non-biased views. thank you!!

One lil thing: in TheAltening, nfa or non full access normally get blocked in a very short time, while with full control accounts it is basically impossible to find your account blocked. The price increase was not because of the migration, but because of reliability

6:17, the chats are not from botting at all ! Just plugins on a Minecraft server !

This series keeps getting better and better

I got so confused at the intro, wasn't expecting an ilmango intro. But i guess you found technical minecraft, ill just say welcome

That intro almost made question if I even clicked the right thumbnail lol

Before watching this video I watched two of ilmango's videos and I had another one I was planning to watch later, so I was very confused when I clicked this video's tab, haha!

Well, I think you missed out on crypto education on this video. This is a perfect example for two basic crypto issue: - You don't only want confidentality, you also want authenticity. (For the audience: Authenticity works by sending a value that binds the message to a shared secret. As the MITM attacker wouldn't have the shared secret, it can change the message, but it can't know how to update the authenticity information.) - You don't roll your own crypto, you use an established protocol. As this is about securing stream connections, you shouldn't roll your own AES-CFB8 based encryption protocol, but just use TLS. And guess what: TLS didn't forget about authenticity, and after years of exploits and fixes, TLS finally got authenticity right.

the intro had me so confused I thought I was watching ilmango for a sec

Just seeing that il mango intro is a quality warranty

“Turns out they were all empty”. We’ve all had this letdown Each and every minecrafter has had this letdown

Very good job on those videos, learning a lot from them and they motivated me to keep learning programming for a project I would like to do. Thank you very much!

I wish computer programming classes were taught like this when I went to school for networking. It would hsve made things a LOT more interesting. And practical, as you'd see the results from what you ve done in a real world example

haha immediately got the ilmango reference... loving the series.

Woah, the intro on this video SERIOUSLY short circuited my brain.

6:15 if anyone was confused those are messages the server is sending not actual accounts (that's why they're colored, the server plugins are their origin)

The accounts you compared are completely different. The first one which only costs 7 cents, is often banned, you can’t change the credentials and also you will lose it like 30 min later. The one on the right is full access that means you can change anything and that account has a high chance of staying for your whole life.

Very good video. Your x-ray mod reminded me of other old hacked client mods that might be fun to replicate. 1- Waypoints, like your base. Old mods seemed to use a line drawn on screen towards that waypoint. 2 - minimap There are a bunch of old things that could be fun to reproduce.

You have NO IDEA how off-guard that intro caught me

Herobrine looking down on you at the end like a God can only make me feel a big awe towards him

Du hast dir bei dem Intronachbau sogar so viel Mühe gegeben, dass die Mini-Logos exakt gleich sind xD I love it.

Last episode was a lovely credit for LogicalGeekBoy, now a beautiful tribute to Ilmango - which of my other favourite Minecraft content creators are you also a fan of?

The Mojang account was really security through obscurity. I lost my email for my Mojang account 3 times, one time I got my account back through some back and forth with the support. The other two times the support sent a link for email recovery, like password recovery but for the email so you could change the email for the account. So you changed the email to a known email and then did a regular password reset. That email change thingy were quite difficult to find on your own though but like... Geeeze

a little bit disappointed you didnt do something fancy to escape the lava, very interesting vulnerability though. funnily enough there were attacks with similar difficulty pulled off rather frequently back in minecrafts infancy so i honestly wouldnt be surprised if it couldve been used back then actually now that i think about it if one were to register typo domains for big servers they _could_ actually have a shot at pulling this off. not to say you shouldnt have included it though, as you said theyve had time to look at it. just think we might actually see (or not see) this used especially since minecraft to the best of my knowledge doesnt use SSL (mojang should implement that along with the enhanced cryptography theyre adding in 1.19) on the topic of the 1.19 cryptography stuff, i would like to see a regular style video going over how that works. nobodys really said anything about how thats implemented yet, just that "chat messages are signed now" and "this is good for security" (which it probably is assuming theyve done it well, but maybe you might find something if you look in to it like you did here)

Love the ilmango-inspired intro!

The "Report to Mojang" part is already well known especially for admins on like Hypixel. Probably Wouldn't even work since they most likely use their own permission system too. I think talking about Hacked plugins would be interesting, since it's done very regularly by griefers to get op

In regards to the forced mojang/microsoft account migration, I think it's important to understand the player perspective. When it comes to cheaters using hacked accounts to cheat, this isn't nearly as large of a chunk of the issue on major servers as you might think. I would say >90% of the cheating problem comes from people playing on their MAIN account and getting away with it since the dev teams in charge of these servers don't benefit nearly as much from removing cheaters as they do from making new content. This migration simply isn't going to make a big change on major servers. On the other side, let's talk about players who lost access to their accounts. On average, the older your account, the more hours played there are on it. On average, the older the account, the more likely you are to have permanently lost access to your account. I personally know many people with 10,000+ hours played on their account who have permanently lost access to it. That's 10,000+ hours of effort, for your life, gone forever. Although there are significant security benefits, these don't play out as much of a benefit as you may think, and the negatives are incredibly high. As per usual, Microsoft is a complete plague to every project they take over.

Thanks for this videos! i've been really enjoying this playlist. i stayed HOURS yesterday setting thequarry Proxy. and i learned a lot in the process . thanks again man!

12:54 for as interesting as this dive into the network protocol is and as good as the plot device your fly hack failing over lava is,.. .. as some experienced Minecraft players know: upon connecting to a world, local or remote, the player is given a brief period of invincibility. ~~ This can be abused. ~~ You could repeatedly connect and disconnect, swimming fractions of a block at a time between disconnections and get to safety.

I love these videos because they are exactly at my level while being entertaining too!

You got me with the ilmango in show you evil evil man

I cannot tell you how confused I was when I heard the ilmango intro... I thought you would be the type of guy to watch scicraft content though

27:33 the most unimpressed herobrine encounter in the history of minecraft

Wow, I learned about AES in school but never considered that the XOR operation might be invertable

Just 6 minutes left! It will be the longest 6 minutes of my life

This series is super cool so far. Do you think you might be able to inject RNG manipulation into the game somehow? This would let you get any enchantment you want, get max item drops with Fortune and Looting, control the flight of the Enderdragon, etc., which would be incredibly fun to watch.

i liked this video with all my alts just because of the intro

That ilmango intro killed me

I see that LiveOverflow has met IlMango, very nice :D

I was really confused, I thought I clicked on a LiveOverflow video and then the ilmango intro plays xDD

once again another amazing vid, loving this series and cant wait to see what else is down the line

that ilmango intro caught me off guard. great video as always lol

i dont know why but the shot at 0:35 is SO funny to me

I was so confused by the ilmango intro that I had to make sure I clicked the right video

i love this series

At the beginning I thought that KZbin stuffed up the id, and I was watching another subscriber XD

u probably dont know this but theres a delay between breaking blocks, remove it and you will mine much faster! this doesnt speed your mining speed up it only removes the delay after you break a block

when you log in a world, you have a few seconds of invulnerability, even if you felt in lava, you'd have ample time to fly away and just take fire damage once the invulnerability worn off

damn i thought i watched the wrong channel since i also a fan of ilmango for their amazing farm build and the explanation on how it works

Haha love the mango intro!!!

cool video, didn't watch it yet but the title suggests it's gonna be awesome

you should add a fast mine mudule for your hacked client. since it makes it much easier to mine/collect new blocks such as obsidian

You said that the biggest thing they did was that by requiring people to migrate, a bunch of old compromised accounts were locked out. The thing is, this could have been solved by just disabling all accounts until they confirm their email on the website. Many of the other security features could have also been implemented separately. It isn't that difficult to add 2fa to something. Still agree that the switch made accounts more secure, just it's not like that was the single best solution.

people do build hacked clients for hypixel specifically, to bypass its anticheat. so not only do the fake hackers have access to several accounts, they can cheat for much longer than you'd expect. so thank gosh for the migration.

Isn't it funny how for this entire other half of the video, this guy talks about trying to use a AES/CFB8 exploit to try and save himself only for herobrian to save him instead imagine thinking of a 200 iq power move only for there to be a quick and easy solution you didn't see

OMG THE ILMANGO INTRO 🤣🤣🤣😆🤣

That intro caught me off guard lmao

I genuinely thought that missclicked, that was good

Man, if Java wasn’t so finicky with compilation i would attempt to do this. Great job, and it’s cool that you’re making your own hacked client.

Instead of crafting and enchanting multiple pickaxes, you could made just one, and alternated between enchanting it and using the grindstone to remove enchantments.

ngl, the idea of herobrine still kinda freaks me out, even after all these years

You can't get mending from enchanting tables, only from villagers or naturally generated armors or books

While you may not be able to MITM between an online client and a genuine online server, there is still potential to exploit the unauthenticated key exchange. For instance, plenty of servers operate in offline-mode with custom passwords just waiting to be sniffed. Or, the evil server itself imitates the genuine server and elicits valuable information from the client, say by social engineering or linking malware.

really good episode! i love the series. the ending was truly minecraft youtuber cliche

Loving these Minecraft hack videos, the downside is that now I'm getting a lot of "Minecraft videos" suggested by YT :(

The worst thing about the old Mojang system is that if something is suspicious about your account activity, Microsoft requests a transaction ID from when you bought the game. In my case that ID is on a deleted web de mail from when I was 14, I would lose my account forever. I really hope they implement a better solution for this.

I'm very disappointed in this account migration. I vowed never to make a Microsoft account again after they locked me out of my account for no reason ("Suspicious Activity") and it was gone forever, along with my email which had a lot of important things on it. They wouldn't accept that I no longer had access to the phone number despite offering to give them documents that proved I owned the number and no longer had access to it. So I avoid all microsoft products. That wouldn't be a problem, but I paid for Minecraft - I think it's incredibly unfair they will prevent me from playing the game I paid for because I don't want to make an account with their parent company (which was not the parent company when I bought the game). Especially because the reason I don't want to make an account with that company is because they prevented me from accessing a previous one and I lost everything associated with it, it's a lose lose. Either I lose access to the game, or I make an account with a good chance I end up loosing access to that, and therefore the game.

This intro destroyed me. I burst out laughing HAHAHA

This series inspired me to learn java. :) Keep up the amazing Videos!

Thing is, Mojang alts still work on servers and Microsoft did absolutely nothing to stop people from joining servers if you are unmigrated.

You should call this series MineOverflow

LOL tat intro! gota love ilmango :)

Couldn't you just have started with sending the Fly packets immediately after setting up authentification?

Why do people comment before the premiere even begins? ...