The Story of Minecraft's Most DANGEROUS Exploits - ForceOP's
Ойындар
One of the most powerful types of minecraft exploits, also happens to be its rarest. Today we'll talk about some of the very few minecraft forceOP exploits that have actually existed.
My Patreon (exclusive censored content, worlds and plugins) - / themisterepic
--------------------------------------------------------------------
Want to run your own minecraft server with friends or a community?
Get a 25% discount on hosting with code "Epic"!
shockbyte.com/partner/themist...
--------------------------------------------------------------------
Huge thanks to Gildfesh for helping me out with some of the obscure exploits I mentioned in this video!
iCanHasGrief - • HOW TO become Admin on...
Nodus Session Stealer - • Nodus: Session Stealer...
• Nodus - SessionStealer...
Team Avolition Authentication Exploit - gist.github.com/ajvpot/3115176
Other Minecraft Authentication Exploit - github.com/nerdsinspace/leaky...
Thanks for watching! Subscribe and Join My Discord!
Discord - / discord
Twitter - / themisterepicyt
Twitch - / themisterepicyt
Join my OG Minecraft Server, The OG Network! (1.8-1.20): og-network.net
- Website: og-network.net
- Discord: / discord
0:00 - Intro
0:54 - The First Minecraft ForceOP Exploit
3:04 - The Nodus Session Stealer
5:49 - Ajvpot Account Authentication Exploits
8:17 - Bungee Spoofing
11:15 - The Handshake Exploit
12:55 - Sign, Command Block and Book ForceOPs
15:12 - Vulcan ForceOP
17:04 - Log4j
Music Used:
1. First Blood - The Dota 2 Official Soundtrack
2. C418 - Strad
3. nyoko - Flowing Into The Darkness
4. Scott Buckley - Inbound
5. DBadge - Drop ( • Beats You Can Only Lis... )
6. Scott Buckley - Decoherence
7. Lena Raine - Rubedo
If there is any content in this video which you own and would like removed, than please contact me and I will be happy to oblige.
#minecraft #minecraftexploit #minecraftserver
Пікірлер: 520
Make sure to subscribe, and check out my patreon for exclusive content! www.patreon.com/TheMisterEpic
@mineabdo2515
Ай бұрын
Can you talk about pojav lancher in mobile 📱 and its java edition and if you buyed the game you can play in hypixel and for mods you need to put them in tge mods folder and you can download directly forge or fabric in any version
@DRPURGE-nh1oh
Ай бұрын
Amazing video man ❤ thank you for taking the time outa your day to make this for us you don't get enough credit
@DRPURGE-nh1oh
Ай бұрын
Also take a break you need it dude
@ultraalex20
Ай бұрын
@TheMisterEpic
@Ofuka880
Ай бұрын
do you know authmebridge exploit?
Minecraft has more vulnerabilities than I have chromosomes
@LandrewLeng
Ай бұрын
bro 💀
@TheMisterEpic
Ай бұрын
Lol
@erubus5231
Ай бұрын
more than one?
@Nightcaat
Ай бұрын
7
@duckny8316
Ай бұрын
Lol@@TheMisterEpic
This is not just Minecraft's most powerful vulnerabilities, it is one of THE worlds most powerful vulnerability (CVSS of 9.8). A remote attacker can execute arbitrary code via the log4j component, and since it is an exploit in the logger, no one would be able to see if an atracker had gained entry.
@maritoguionyo
Ай бұрын
not a direct Minecraft exploit
The Log4j exploit (called Log4shell) was given a 10.0 severity rating on the CVE scale. The Log4J exploit ranked among the most severe vulnerabilities in software in the history of software. It sits on the throne alongside EternalBlue (which spawned Ransomware as we know it), Remote Code Execution in email servers for governments, and why the protocol FTP isn't even used anymore. It spawned a furious hellfire of system administrators patching their environments at a speed and urgency not even paced by Y2K.
@CZghost
Ай бұрын
Yeah, it was pretty much the most severe vulnerability, and that was given the sheer scale of the library. Scale of the library isn't defined just by its program size, but also the usage. And it was EVERYWHERE. This vulnerability quite literally affected the whole Internet. That's why there was such a big fuss about it.
@vitulus_
Ай бұрын
I remember hearing that later versions of Java aren't susceptible to the RCE part of the exploit.
@unknownname3703
Ай бұрын
and itsonly the XZ backdoor that is the other 10.0 CVE i know of. log4j was crazy
@unknownname3703
Ай бұрын
and itsonly the XZ backdoor that is the other 10.0 CVE i know of. log4j was crazy
@jamesr736
Ай бұрын
Wait, we don't use FTP anymore?
i love how the reddit post asking about the handshake exploit has a troll comment and a reply getting mad at them
It should be noted that server seeker going public makes cracked servers super vulnerable to forceop. When owners create these servers, they're unaware that anybody can join the server and log in with operator permissions
@Theunicorn2012
Ай бұрын
It should be noted that server seeker going public makes cracked servers super vulnerable to forceop. When owners create these servers, they're unaware that anybody can join the server and log in with operator permissions
@xelabrat2
Ай бұрын
@@Theunicorn2012 It should be noted that server seeker going public makes cracked servers super vulnerable to forceop. When owners create these servers, they're unaware that anybody can join the server and log in with operator permissions
@apoloqy954
Ай бұрын
It should be noted that server seeker going public makes cracked servers super vulnerable to forceop. When owners create these servers, they're unaware that anybody can join the server and log in with operator permissions
@xelabrat2
Ай бұрын
@@BloodravenRivers way to break the comment chain loser
@sethviets5120
Ай бұрын
@@BloodravenRiversIt should be noted that the people here were doing something called a chain, and you just broke that said chain.
Using log4j to op yourself is up there with using a flamethrower to light a campfire.
@_WarrantyVoid
Ай бұрын
More like on the tier of using the Tsar bomba to light a match. With Log4Shell one can directly take over the user account the Java application runs on, if that account has admin / root priviliges or there is a viable privilige escalation exploit available then the computer is basically fucked, especially if stuff like bios level advanced persistent threat is used (if the computer is not a VM that is). If the computer has credentials then even more can be compromised. Automate that process and you got a self-replicating botnet. Remote Code Execution exploits are no joke.
@DenLedeTomat
Ай бұрын
I can't believe that they used that fkin enormous power to gain only the coords and tokens oof
I'm so glad the handshake exploit was finally explained, I was always curious about Minecraft change logs and that reddit thread never got anywhere.
That Gildfesh guy seems pretty cool
@WFly101
Ай бұрын
Godflesh is good band
@tutwastaken69
Ай бұрын
hmmm
I love how he is subscribed to Team Avo 6:06
I'm the kinda guy to watch 17min videos before going to work in 5 minutes
8:52 quick correction: BungeeCord is a proxy/server software, not a standalone plugin.
@flipflops99
Ай бұрын
blud really said "erm actually... 🤓☝"
@WFly101
Ай бұрын
@@flipflops99blud really said "I'm 12 and project my insecurities online"
@flooploops4589
Ай бұрын
UHGMMMM ACHUTTTTTTLLLYYYY 🤓🤓🤓🤓
@azuree.nekowo
Ай бұрын
@@flooploops4589 honestly I'm laughing at how insecure and immature you are.
@tbrickman
Ай бұрын
Eeerm ACKtuallY ☝🏻🤓
A lot of new servers use velocity as bungecord is outdated and unsafe
@Slendercze0
Ай бұрын
Wait til bungeeguard/velocity modern forwarding bypass 😂😂😂 (its impossible without brute force)
I accidentally leaked my session id from a crash report for a sodium bug in 2023. So apparently Mojang didn’t fix the crash reports having the session ids.
@felixbemme7257
Ай бұрын
Sharing sensible files with outside people isnt something they need to fix. Just dont share files like that with randoms
@Theunicorn2012
Ай бұрын
I accidentally leaked my session id from a crash report for a sodium bug in 2024. So apparently Mojang didn’t fix the crash reports having the session ids.
@felixbemme7257
Ай бұрын
@@Theunicorn2012 Because thats not an mistake. Crash reports are supposed to have this kind of data. You are just not supposed to share files and logs without checking what they do/contain with randoms on the web.
@roughlyunderscore
Ай бұрын
Don't the session IDs expire when you exit the client?
@Bluebird_YT
Ай бұрын
@@roughlyunderscore they expire after 2 weeks
I wouldn’t be surprised if there is a new forceop method with the new components replacing nbt data in 1.20.5+.
@lisiasty688
Ай бұрын
There is always at least one exploit but not discovered yet. Sometimes it takes a lot of time and some programs or Minecraft versions are just not worth it. I mean you can find something in 1.2.5 but I wouldn't be worth it if that's only that version because something was removed for example... Creating non-vulnerable data is almost impossible to do task
@Bluebird_YT
Ай бұрын
@@lisiasty688 I mean the new snapshots for 1.20.5 and 1.21 not the old version 1.2.5
i used to grief servers with the bungeecord exploit, me and a group of friends wrote a plugin that would act as the "hub" that would allow us to join the affected sub-server directly from the game with a command, change the name/ip that we were joining with, and a couple other things that i've forgotten now we were probably the first or second group of people to use it, fun times :)
Ah Scetch and Nodus. Was good times running around with him. That Session ID exploit was wild times.
@Theunicorn2012
Ай бұрын
Ah Scetch and Nodus. Was good times running around with him. That Session ID exploit was wild times.
@RoyD_S
Ай бұрын
@@Theunicorn2012 bad bot
grabbing some popcorn, anyone want some?
@Nightcaat
Ай бұрын
I’ll take some 🍿
@ReimBuch
Ай бұрын
Sure, some tasty popcorn would be nice rn
@DonutMT
Ай бұрын
@@ReimBuch here ya go!
@WFly101
Ай бұрын
blackwater park is the new minecraft hacked client featuring guest member steve von from Asperger's co. It's very shï sàh lō
@TCMCGMB
Ай бұрын
thx for reminding me
The Log4j vulnerability was actually FAR WORSE than just being a technique to gain an OP on a server. The vulnerability is dubbed Log4shell, and it is what it is. Being it that the library is widely used across the Internet in many popular Java apps and in many industry environments, the vulnerability that gives you an ability to remotely execute any arbitrary code (it is an RCE vulnerability), exploiting it is far more dangerous than just a silly Minecraft hack. Hackers were able to penetrate powerplants for example with this simple exploit. It's actually really scary that this vulnerability was found, and we still have no idea how much and how long it was exploited in the wild. Because the vulnerability was there for quite some time before it was discovered. It is patched now, but god knows how many machines were not only exposed with this vulnerability, but also actively exploited and penetrated. It's not just a silly Minecraft hack, that was a VERY serious deal.
im surprised the 'i work for planetminecraft' line ever worked. no admin from another website ever deserves admin on ur server. its that simple.
@Alex-qj9yu
Ай бұрын
It’s why people are the weakest link in security
@LimitlessJayson
Ай бұрын
but considering none of us were cybersecurity nerds all they were thinking is.. "maybe if i give him op he will recommend my server more!!"
@Ninjalette666
Ай бұрын
@@LimitlessJayson you dont need to be a cybersecurity nerd to understand that you dont give operator status to a random.... do u hand your password over to anyone that asks for it? braincells people.... use them?
@Ninjalette666
Ай бұрын
@@LimitlessJayson also no one is going to recommend servers for you, that costs money and its something people dont realise. you either struggle up the normie voting lists or your server gets spread by word of mouth or reddit or planetminecraft. there is no easy quick way to get your server to 'make it'
@LimitlessJayson
Ай бұрын
@@Ninjalette666 this was 10 years ago that this stuff happened why are you speaking to me like I'm retarded
your videos are always my go to night watch content
2b2t players being traumatized by the string on the thumbnail
@Stormie21
Ай бұрын
Why
@nikolaideianov5092
Ай бұрын
@@Stormie21i think is goddamn log4j
@Stormie21
Ай бұрын
@@nikolaideianov5092 oh
How are you making videos so fast!?! Love your videos ♥, its great that you've been getting much more active recently!!! I know I've already said this but , I like the vibe that your videos give me , high quality , nice and relaxing videos. Also , what do you use to edit your videos? 🤔
The biggest exploit is having KZread rank on hypixel... ...talking about you, no lag back
@unnamed7430
Ай бұрын
esp the second one, you can just climb up walls to escape from mobs and other players.
@WFly101
Ай бұрын
Bagels are kinda hard
@CitriTea
Ай бұрын
mods can't even ban you for this overpowered exploit smh
@youboring
Ай бұрын
lf yt rank no wd routes
back then, I believed someone was actually Notch on a server because they were able to appear as his account. Things were just different back then.
@theschnozzler
Ай бұрын
Did he drop an apple when killed?
@rubiitoxic
Ай бұрын
@@theschnozzler probably
@ThePaperKhan
Ай бұрын
Maybe he was Notch.
I literally had the book method done to my server last year, great vid
I feel like I’ve watched this before… I don’t know why, but I feel like I’ve watched this before
@JustYourLocalfnaffan198
Ай бұрын
Same lol.
@WFly101
Ай бұрын
J cole comes out as a trans billy eilish
@WFly101
Ай бұрын
Lōl
@MD-df7if
Ай бұрын
Removed?
@WFly101
Ай бұрын
@@MD-df7ifno it was bungee corded into outer millenials are soacey hahaha Tool reference
Let’s gooo, the mister epic upload ! 🐐
The Handshake exploit brought back some memories. I remember seeing it posted and taking the risk of downloading it as people thought it was a login stealer. You could literally join any server with any username without any problem. Assumed it was more known.
Hello. I'm from PlanetMinecraft. Can I please become moderator on your KZread channel to test some permissions?
@ItsEka-929jfm
Ай бұрын
Obv
8:18 this segment sounds like you spitting bars lmao
I commented about this in the last video so thanks for mentioning it
when its sunday and you remember you have to go to school tomorrow but misterepic uploads
i've made a couple of force ops for fun, the type that is a spawn egg that just summons and runs a armor stand that has /op {my_name} on it, ofc, it doesn't work if command blocks are off, but they're quite fun to make
FINALLY the op login to any acc released. I've been wondering how it was done
In 2013 I was the co-owner/admin for a server of a friend. There was another admin that had way too many permissions but I couldn't do anything about it because it was the owners decision, that admin fell for the planetminecraft scam. When I saw it happening in the console I deopped both the admin and the griefer and rolled everything back with coreprotect. Teached the admin a lesson through server broadcast lmao
This was posted 7 minutes ago, gonna watch it now
@railworksamerica
Ай бұрын
7 days ago now
From experience from writing my own game, race conditions (talked about at 12:32) probably took away 2 months of debugging, they're a nightmare to debug.
I think we need more info on that last Java security vulnerability… it sounded wild and very interesting
@Gildfesh
Ай бұрын
There is actually a lot of information online if you look up "Log4Shell", a lot of videos covering it even use Minecraft as the example. I really suggest looking it up if you are even slightly interested because it was insane. Simply put, the tool that Minecraft uses to log things (such as crash reports) had a vulnerability in it which would allow someone to run any code they wanted if they could get a specific string of text into the logs of an affected program. Minecraft makes it easy to do this just by sending a chat message which meant that you could run any code you wanted on the computer of any connected player or even the server itself. The exploit being in the most commonly used logging library meant lots of websites, servers and random programs were vulnerable to the exploit, it just happened that Minecraft was one of the things impacted.
@gem3763
Ай бұрын
You can find plenty of info about it online, as it was a huge security issue and had lots of real-world ramifications
ironicly the only one of these i have heard of was the log4j and the handshake I had no idea there is little info about it
Yo what is the music you used in the timestamp 9:05 its so cool, i'd like to know the name of it. Please ??
@TheMisterEpic Hm? I watched LifestealSMP some time before, and didn't spoke use the Handshake method to get OP on the server? Or was it just a similar glitch?
Its a good day when a new duping video lands on the internet
cuz u found this you dont have to milk it out along 3 vids.
@anotheryoutubeaccount5259
Ай бұрын
TheMisterMilkMan
Perfect timing, bedtime 👍🏻
I force opped once into a big minecraft event, i got perm banned but it was crazy
This guy needs to make a movie of minecraft news would be so good 😂
I remember back on my brother's first attempt at running a server for his friends someone came in and destroyed the world with this exploit, Ender Dragons and Withers left and right. On his way out he turned on the whitelist as a parting gift and show my brother how to stop someone else from coming in to grief the world again.
Ive seen someones server get messed up by the bungee method because they didn't have the backends firewalled off. I had a good laugh from that.
(on the oldest anarchy server in Minecraft....)
@WFly101
Ай бұрын
Just call my name
@WFly101
Ай бұрын
Ωμ×∞∆››
If you joined like hypixel with the handshake exploit, wuldnt you be invincible from the bans?
i think the most substantial exploits arent the ones limited to the game but the ones taht give you privelages on the server backend or user machines
This might give me nightmares, thanks
Man i remember using Session Stealer. I was shocked when it worked
14:04 i would love a video about creative plot worlds and their history/what happened Its rare to find any of these servers today. i used to play alot in a brazilian server called SkyCraft, it was the most fun i had with multplayer
The history of ratting in Hypixel skyblock is insane
3:00 I remember writing that over 8 years ago
@susimogus
Ай бұрын
LOL
Cool video!
day 1 of asking TheMisterEpic to oil up
First plaied Minecraft somewhere near before beds where introduced, but not too long they where. I was like who should i suppose to fight all these monsters?
Anarchy players abusing vulnerabilities that could pose as a national threat, so they can steal someone’s base coords:
Oh man i remember that icanhasgrief video like yesterday!
21 minutes early lets go and the video is edited nice
Felt like this was talked about before.
Force OPPA GANGNAM STYLE
What’s good nice video .
No idea what this is but I'll watch you never the less :)
On Minecraft Wii U it's basically the average day to get someone to force op themselves.
I was already wondering when a video about the log4j exploit would be released.
I remember using something similar to this back in the day 😅
Yet minecraft still want to stick to java...
So how is your first youtube video a patreon exclusive?
How do you make the enchantment glint look like that please I need it
Minecraft has more vulnerabilities than I have braincells 💀
@inconsistenttutorialuploader
Ай бұрын
stolen
hold up now, u sped thru that last lil bit there about the command u could type that would give u op and control of a persons computer. idk i think it was log4j ik its probably very limited info on that particular method n probably less you could actually speak of on here, but of all the methods u described in these videos that very last one was very obscure, ive never heard about that one in it peaked my interest because something with that level of control to exert would be very dangerous exploit indeed, not just for servers, alot of these hacks and exploits most pertain to in game control, but one like that, just imagine u know we got old people running our countries u know their grandkids play minecraft how long before some anarchy player gets into REAL trouble for getting into the wrong computer
wait i just watched this video earlier today why reupload
Btw that not all force ops , u forgot about aka - plugin called backdoor:)
I liked my own like
@WFly101
Ай бұрын
I commented on your own comment
@thechef7633
Ай бұрын
@@WFly101 i liked your comment on my own comment
@WFly101
Ай бұрын
@@thechef7633 I ate your dumpster
@nikolaideianov5092
Ай бұрын
2649
yummy video sad there was no quesadillas
9:37 how would I do this? Investigating this to fix my setup
The Sign ForceOP was actually stolen by the Wurst Client developer, he was not the one to discover it. A youtuber who i forgot the name of even made a video exposing the Wurst Client developer for blatantly copying his method, but i have never seen anybody talk about this or credit the original finder.
i remember doing the book forceop it was fun sadly i got banned shortly after then every admin know about it they were just playing around and yep got ban :D it was still fun
The most recent force op exploit was fumbled by people who didn’t know the potential
You have miniature testing ???
Is this a reupload? I could have sworn that this video was already posted...
the mister epic videos
15 sec ago hello is anyone here? Just me? Ok (refreshes) never mind i guess
good vids
Hi mister epic
nice dota ost
wait is this is a re-upload??
I love the part where the mister epic force opped all over the place
At least use the full version of Space Valk 3 if all you're going to do is get B-roll of it. The incomplete version from years ago makes me sad : (
@LowSkillMac
Ай бұрын
Space valk 3 is so hard to fully load
@Jacktherippa84
Ай бұрын
@@LowSkillMac He can clearly do it, and you can fully load stuff easily and render it silky smooth if you use replay mod.
Those are truly game breaking
I was actualy friends with Diedae The owner of the server at 2:40 After that Grief he had a Mental breakdown and Changed his name and Stopped talking to all his original friends Because he thought that we got bought out by The griefers
cool vid
14:59 hmmm that link looks familiar
Damn, i used the sign exploit once aages ago
Waiting for the day my old name shows up in one of these videos
Can u say hi? I love ur videos