There Will Never Be a Minecraft Exploit This Powerful AGAIN.

Huge shoutout to BuiltByBit for sponsoring this video, if you are interested in anything minecraft and server related, please check them out - builtbybit.com/themisterepic/

Today's Fact: In 2020, researchers used quantum entanglement to teleport information between two chips in a silicon-based system, a major step forward for quantum computing.

Players manage to bypass your servers spawn protection. What do they do with this newfound incredible power? Dig straight down

A scale so large, it won't happen again

“Once in a decade exploit” remembers log4j error, a Java exploit that allows you to run code remotely on any computer through a string value, something far more powerful than a simple /op

It confuses me how it took so long for anyone to find this. Yeah, not everyone is going to think "maybe if I rename this chest to the name of a server UI chest, it will give me that UI," but the process is so simple in hindsight that I'm surprised that it wasn't tested sooner.

That ending took it from "Yeah this is powerful, but unless you're careful it can always be rolled back" to "Holy hell, this is a deadly exploit."

16:28 “this isn’t the most powerful forceop exploit ever, this is the only forceop exploit ever” We just gonna pretend bungeespoofing doesn’t exist

I recently found a 1.7 dupe: 1. Lock a hopper. 2. Open your inventory with e 3. Use q to drop items 4. Close your inventory 5. Right-click the hopper. This resets your inventory. 6. Go back to step 2. Repeat ad infinitum.

Man, when you were describing the hierarchy, I had an idea: I make a server donation plugin, one that has a built in dupe exploit. One the server owners have to buy- in other words, the explicit purpose of the plugin is to gank P2W assholes.

this is... a very, very old and basic oversight that has been done (and will be done) by many plugin developers that want to use chest GUIs until bukkit/paper/whatever implement a standardised solution. ofcourse it's hardcore that this has happened to a big anticheat plugin and there's no checks whatsoever after opening the menu, but the ground principle of "opening renamed chest to get to GUI" has been around for a long while

"what i dont like is unethical gambling" then proceeds to blow the server the fuck up in retaliation (w)

"If you reinforce a door by making it impossible to break down they'll just destroy the door frame"

I would like to provide some insight into this as I am an amateur server dev, and this exploit came from a very large oversight. So server chest guis work by having inventories and using the event to detect when someone clicks an item (as you described) What likely happened here was that the developers of vulcan forgot to add proper item checks to what they were clicking, so the server just assumed that they had permissions. Yes, there should be permission checks there. However, it is (from what I've seen) standard practice to add checks to the item clicked such as it having lore (meaning the player couldn't have modified it to have that lore), so that you don't ever accidentally detect them clicking an item in their inventory. The oversight of not adding permission checks isn't as egregious as not having the proper item checks for the gui, as its the very first thing you HAVE to get right.

This is so wild I'm writing a college level security report on CWE-94, I'm going to source this video as an example of injection code as it is loosely related to it! Great video!

In Insanity on 23:03, you actually got OP access. However, some permission plugins can override commands to use the permission system rather than op access. That's why you cannot use commands but can see spy messages, they configured that incorrectly so you can see.

As a professional developer who used to create hacked clients for Minecraft (this was 5 years ago at this point though), I can very much say this: It isn't impossible to find exploits like this, and if people with genuine cyber security backgrounds where to look at Minecraft, they could likely exploit it within the same week, it's just that they have better things to do than stare at a block game.

I feel like your exploit scale is missing a tier, log4j was known as an RCE exploit, which should be far more powerful than forceop. For example, if multiple servers exist on a single machine, you'd only need to attack one. Or you could steal/modify sensitive data, or install malware/ransomware directly to their server hardware.

2:44 "Rare but not that uncommon" come on man just pick one

27:52 "Everyone's owner", now that is what I'd call an anarchy server