Controlling ServerId is enough to get an attacker logged in to any Minecraft Server as victim's account

[cyoung06]

To prevent this attack, you need to run some kind of code analysis, then make sure that

1. a code that uses joinServer api generates some secret stuff that goes into server id
2. that secret stuff is not sent to the party that client is talking to (the MITM)
3. if that secret stuff needs to be sent, it is only sent to the party that will do /hasJoined api call

It's practically impossible to prevent.

[pandaninjas]

To prevent this attack, you need to run some kind of code analysis, then make sure that

1. a code that uses joinServer api generates some secret stuff that goes into server id

2. that secret stuff is not sent to the party that client is talking to (the MITM)

3. if that secret stuff needs to be sent, it is only sent to the party that will do /hasJoined api call

It's practically impossible to prevent.

This attack is difficult to orchestrate as well, due to the fact that the attacker's Minecraft needs to sync and tell the victim's Minecraft to login to a server as the victim. I could make a paranoid mode for this mod, which would prevent this kind of attack at the expense of breaking most existing token verification methods.