I mean "safety" was never the point, it was about Micro$oft exerting more control and their policy of "embrace, extend, extinguish." Probably meant to force any Linux players of Minecraft to make a Micro$oft account and to make chat reporting easier. Security is the tried and true excuse for stuff like this.
Having multiple accounts is and always will be more secure unless you're a brainlet who uses the same password on everything. It was never for your security, it was always just to bump MS account numbers. Convenience, freedom, and security are interconnected and getting more of one means getting less of both of the others.
This can easily go past minecraft, many games even on steam could use something similar. This is a very scary thing to deal with and just know is out there.
@@jayemover_16 On a game with a primary audience of children that's to be expected and something we should take into consideration rather than make fun of. You were an internet noob too once, don't be elitist just because you can spot a phishing scam.
This is entirely Microsoft's fault. Their wording is vague ("This does not give xyz any additional permissions"?) and there's no warnings or confirmations.
Yeah, there's a reason why discord/google give you the scope of the app you're allowing access to, and that's to verify the permissions that the app would have. Nothing other than what's included in that scope is accessible by the app. But yeah, it seems that M$ gives full access to your account without even telling you. 🤦♂️
This is entirely Microsoft's fault. Their wording is vague ("This does not give xyz any additional permissions"?) and there's no warnings or confirmations.
If that MS login permissions list is correct, that's 100% Microsoft's fault - they're giving the app access way out of the scope of what it says it is giving
If the MS login permissions list is correct, that's 100% Microsoft's fault - they're giving the app access way out of the scope of what it says it is giving
this isn't an exploit, per se. it's entirely intended behavior, specifically made for 3rd party launchers. the issue here is that microsoft worded their warning poorly. it should make it very obvious that you're HANDING OVER ACCOUNT ACCESS.
Exactly this, just look at how Xiaomi designed their UI for allowing third party downloads on their phones, just google "xiaomi dangerous permission screen" Unlike Microsoft, Xiaomi decided to add a red warning triangle, a wall of text that very clearly tells you that you would be at risk allowing this, explained in a very clear tone that even a grandma or kid could understand and finally, there is a 10 second cooldown before you can even proceed, after pressing a separate checkbox.
if its open source and can be community peer-reviewed and audited, this is technically not the case. you also need great op-sec to browse the internet these days
@@fireworkstarter It's not account access, rather it just lets it generate login tokens, aka it can only let it join servers with your name. This is required for third party minecraft launchers, however as you can see it can easily be abused by scams
@@fireworkstarter there are other kinds of account access, it's just that piglinbrute requested authentication tokens and people got phised into giving them to them
Wow this is a shame, I was actually planning to develop a legitimate Minecraft linking system through Microsoft login, but the fact that Microsoft is giving entire account access to sites you sign into makes that idea impossible without feeling like a red flag to players.
Its kind of amazing how messed up the Minecraft multiplayer ecosystem has become. Very, very few servers are fun, safe, and have a good community these days.
@DedRnBrb For real, singleplayer is becoming the only viable option. But it gets kind of boring after a while, after all sharing the results of your work is part of the fun, as is hanging out with friends.
@DedRnBrb Have you never tried just plain old survival servers with friends? Its quite a good time. I burnt out of singleplayer years ago, at this point I just play Vintage Story for the more immersive experience. Minecraft's main draw has for years been multiplayer, but seeing the decay it may not be for much longer.
Sorry for you and all the others. Grinding for years and losing everything is never funny. Personnally I simply stopped playing minecraft because I refuse to link it to a microsoft account, especially because I mainly play solo and I see no reason at all to do it. But even if I understand that few people want to go to that extreme, I cannot understand why people still accept to give so much access to any games/apps they download. If you download a game or an app (mobile or PC) that ask you to give a ton of permission that are not necessary, it's *always* to sell your informations and/or to do shady things with them. I hope that someday people will massively say NO and switch to an other game (or an other server) each time they need to give away all their data for no reason, but I know it's not for tomorrow. The worst is on mobile, when some people give all the permissions (camera, memory, account,...) to games they do not know...
@@lilnasnusnus7867 maybe you shouldn't give access to your entire account to these random websites yourself. You live am you learn. Blaming microsoft for what is essentially a mistake on your part will not fix anything What microsoft could've done is not make it so vague. "Allow app to see and update the data you give it access to" doesn't *really* explain what data exactly. Either way, letting an app modify data on your behalf is already suspicious
It's wild to think that every change Microsoft has made to Minecraft has proven to be not only worthless, but actively destructive to Minecraft from every possible angle. Just wait until you hear about what they did to their EULA terms yesterday, they basically gave themselves permission to kill peoples' entire Microsoft accounts if they post unfavorable videos like the above, as well as reversing the old trademark use terms Notch setup, making anyone using the word "minecraft" in anything's title the "wrong way" a criminal overnight. 🤬
1:37 the "checking physics" thing actually does make sense, bot accounts usually emulate the java edition client instead of actually using it (to save resources and for flexibility), meaning they have to properly emulate the players physics too. it can check if your player falls, and if your player doesnt fall or falls in a way that doesnt seem legit, it can flag you based off of that (obviously this server has been rigged to flag everyone, but thats certainly a normal check)
Thank you for covering this. I have been pushing for this to be sorted out for a very long time. There are so many solutions and yet no department in Microsoft seems interested in doing anything.
This happens so often in both games and social media accounts. Thank you for calling it what it is when so many people want to call it "hacking". It's not hacking, it's "account theft".
Yeah, hacking is more of things like DDoS attacks, hacking into websites, and other things. Also video game "hacking" is actually exploiting, as they are exploiting vulnerabilities in the game's code.
This happens so often in both games and social media accounts. Thank you for calling it what it is when so many people want to call it "hacking". it's not hacking, it's "account theft".
Man if only there were people smart and brave enough to take out the server at the source in person, maybe some of this stuff will never happen. Thank you for warning us about this.
I love the hoops people are going through just to steal some kids' virtual lego account, that virus that was on Curseforge was was impressive for how elaborate it was, im sure the same happens on Roblox as well.
If I'm understanding things correctly, they're not just stealing Minecraft. They're getting into peoples' *Microsoft* accounts which will include any personal or payment info associated.
@@SoftisNelaris Yeah and the entry point is some lego game a bored swede came up with one day, since so many kids play it and arent educated on online saftey regarding phishing scams it creates a hotbed for malicious people trying to steal their info.
@@SoftisNelaris Yeah and Roblox has your stuff stored but censored. Although, if you have 5,000 robux (Or maybe more? I don't remember) and you make games for the platform, you can cash out your robux for real money (At the rate of a free money mobile game basically, so not much money, but it's still money that they can take from you). So all they have to do is gain access to someone who has millions of robux, then change the credit card associated with the account, then cash out.
I love how when someone discovers a new account stealing exploit it *always* comes down to them tricking you into giving up account details yourself. The pattern is there people, be wary of it.
This is a very important issue, and I'm thankful you are making the general community aware of it. Some skyblock youtubers have already made a video on this topic a while back, but even hypixel skyblock is small compared to the rest of minecraft, and I don't think you share a lot of viewers with it. MIGRATION promissed better SECURITY, but all we got is new ways of exploitation.
true, as before the only ways to steal accounts before was through mods and blatant login pages, both not so effective. I have been oath ratted nearly 3 weeks ago, when I joined a discord server for a guild I was in
Every single time I see something like this I’m expecting it to be something like “just logging on and nothing else can put you at risk” instead of a variation on the same old “oops put my password and information into the shady website and now it’s doing shady things!” Like I’m glad it’s always the latter but it always boils down to user gullibility
You clearly understand the OIDC authorization process. I liked how you made a clear distinction between access and refresh tokens. This kind of problem exists for all OIDC SSO technologies because people don't check what permissions they are allowing on their accounts. Nice vid
I was almost a victim of something similar to this through a discord verification tool. It was only due to my experiences with these kinds of things that I had realized what I had done and immediately revoked access and secured my account. Somebody without the years of experience dealing with these things like I do would be none the wiser to this trick. Great video.
you need to be really wary of these micosoft login screens if they say *anything* more than just accessing your player ID. when multimc asked for similar permissions i had to research it for a couple minutes to make sure i trust them. and i would definitely not give such trust to a random mc server
This reminded me of this crazy situation that happened on skittlemc where players were getting doxed because of a leak or something not sure of the whole story because I was gone during that time. Microsoft shut them down for almost a year for not following certain guidelines. They made a lot of changes in the server to make more acceptable. It also lost alot of the playerbase it once had. I think I accidentally spoke to the doxer who helped me find a job exploit to earn emoney on the server. He later blocked me on discord and he hid his past names on namemc and went off into the unknown somewhere. He was perm banned but they unwhitelisted him then whitelisted him back.
@@quantdev Yeah it is really stupid. I questioned whether I should use a VPN, but I'm worried Microsoft would terminate my account. They've been known for freaking out about people going on their account in different ip locations because they don't permit selling or borrowing people's Minecraft accounts. I don't want them to take my VPN as some else using my account. Idk if a VPN now would matter anyway because they prob have my real ip stored somewhere. I don't care that much if the server admins know my location, I just worry about it getting leaked to everybody.
7:40 just a tip, you probably should put a black bar over sensitive information like your email there instead of blurring it out. It's possible to read out some of the characters manually (because of the screen movement) or via using an AI. A black bar is a bit more protective.
Although you can sometimes read it you just have to apply the mosaic then do the movement which soloves the problem and yes, some AIs can read through blurs but not through mosaic where information is lost
By "blur" I mean blur and mosaics. Some techniques can work through mosaics by applying the mosaic on guesses for letters until a best match is found. They aren't as safe as a black strip over data.
The checking physics thing is actually real on some servers. some clients tend to have physics modifications, for example meteor client where you for some reason take falldamage from 3 blocks instead of 4. this is an anticheat to detect if people are running certain cheats or certain clients. A good example is Purity Vanilla. It's an anarchy server where no cheats are allowed and this system there works so well that people are barely able to join with cheats on.
What makes this particularly ironic is that one of the reasons given for the migration of Minecraft accounts to Microsoft accounts was increased security. Instead this has increased the attack surface for people's MS accounts. At least back when Minecraft Java accounts were separate the damage was limited if your MC account was phished/hacked.
Technically it did. That just a side effect. It just matter of convenient and security. You guys seems fine having 1 steam account for several tens of MP games and your credit card. Yet annoyed when using a separate account for Ubisoft, EA or Epic, but they provide increase security by the fact it is separate from each other
Pretty much the same is happening in older CODs, the problem is that the servers are still directly hosted by Activision It's literally safer to play cod on modded clients other than the fact that they have anticheats & better servers in general
You are actually lucky if they only steal the Minecraft account token. There is a similar phishing attack on discord. That one has the Microsoft authentication set up in a way where they can change your email and password to kick you out of your Microsoft account.
A way to stop other people griefing servers that you play on can be asking the server owner to implement login security mods so you can only log in with a password.
@@truerandomchannel That wouldn't work here since the griefer in question would have access to your account, unless you used an IP whitelist I suppose.
@@ashleybyrd2015 The login security mod makes you log in with a password on the server that isnt saved to the server instead of your account and therefore they wont be able to access the password.
We’re the server host features in this video and may have been in the thumbnail for a while, we’ve since taken both servers down - the Minecraft server and the strange phishing site itself - note we have zero control over the domains but were the host of the servers 🥲 We were only informed of this phishing Minecraft server today after the video was released, we would’ve appreciated being alerted before releasing the video, but at least it’s taken down now 😅 We do not tolerate abusive services such as phishing, malware, hacking (without ethical hacker / security research credentials), etc. We never expected to end up featured by a 600k sub Minecraft RUclipsr, but we at least appreciate that you didn’t place the blame entirely on ourselves 😅 ~SG123 - CEO @ Privex ❤️
I remember once i joined a discord server being advertised as a giveaway server, and It asked me to verify using this method. It looked so sketchy and I am now so glad that I didn't click verify.
This is thankfully easy to avoid. It can be made more elaborate if went like: This server is modded, here's the modpack you need: ... Then you'll get a malicious mod, it can even go and say, don't forget to share this modpack with with your friends! Or you can make it better by actually letting the person in and require another player to access a feature, it'll attract more players duss more accounts to steal. So stay careful outhere giving credentials.
Just wanted to say, I am thankful I have never been hacked before. My ip was once leaked, but that was more than 5 years ago, and I use a vpn since then. Just like the video explained, Its really easy to be baited into giving your info, even though it looks like the same screen a 3rd party launcher would ask for. So I think that as long as you never enter your account info in verifications, you should be good.
Dang, I really like that people like you make these videos to warn people about these account thieves, especially since it's extremely hard for even Mojang and Microsoft themselves to prevent this stuff, even though they've made efforts in the past. (BT dubs, I felt targeted by those guys when you said younger, more susceptible players.)
To be fair... It is blatantly obvious that its a scam. A server about 18+ roleplay and "hot minecraft girls" that immediately asks for your personal info upon logging in? Yeah sure seems legit... If any server made me click a link with a popup asking for access, I would immediately bail.
Let's take a moment to appreciate how he makes his videos it's seems like a interesting history lesson with music in back ground to make it more dramatic. This video keeps my interest
This happens in Hypixel Skyblock Dungeons- the party finders that say "Free Carries for joining Discord server" have discord servers that have verification websites exactly like this. I almost fell for it once lmao
From mass content farms, RUclipsrs basically scamming children on p2w servers, and people straight stealing accounts in ways I didn't even think possible it's nice to see somebody genuinely caring about the player base and helping inform the masses for us to be wary.
You'd think a captcha itself would make people avoid places. "Why do I have to do an extra ANNOYING thing just to visit this place that I know nothing about and is only slightly alluring?" I guess people just want to be ANNOYED maybe?
They should make account tokens its own OAuth scope. Maybe having one service-specific token for misc services, but then they can request to use a different service token, then have that clearly outlined. The way they worded it is that they can view what details you have on your xbox profile, NOT login tokens. Just what I'd do to resolve this.
This is why I don't even go on servers anymore tbh. It's better to make sure things are fine routinely and occasionally play on singleplayer or with friends on a personal server
4:40 domain privacy services are very common and quite often included with a domain. Not really sus as most people wouldn’t want to have their real address and phone number publicly accessible. Also they don’t register “on behalf” they just proxy communications (you put their address instead). Love the video though - nuts.
i remember a few weeks ago i tried to go into this server out of curiosity because i thought it was funny not knowing it was an actual account stealing thing. I joked around with some friends "lol there goes my IP" and instantly removed the account connection from my account not realizing how BIG of an issue this actually was. Jeez, I almost got my stuff YOINKED, thank god I'm really strict with my security stuff.
In bedrock I've joined servers where, after joining and playing in them, I suddenly found myself having to relog into my microsoft account, often more than once a day. One time it was so bad I almost lost the ability to log in (something messed with the log in box). All of them were cross-play servers, and so far I still haven't found an explanation for it.
Huh. Weird. I haven't seen that with my personal server with Geyser installed, so either they borked their configs or something shady is happening. Geyser itself is fine, (in terms of security) whatever server you're connecting to may not be.
I've seen a few videos about something similiar, it's quite scary, but there is one way around this from happening, use common sense. As harsh as it may be, most victims don't see the blatant red flags. Seen a similiar system used, instead of having a server like this, instead a discord "verification", which suprisingly a decent amount have been tricked by it. I wouldn't recommand allowing any launcher to get permission to the account, even the ones that seems legit.
it is goddamned appalling that microsoft even _lets_ any app request permissions that broad. there is absolutely no use case that is more worth catering to than the catastrophic risks are worth avoiding.
Almost had my account stolen once by this method, I wanted to join a discord server but you needed to verify. Luckily I found it a bit suspicious so didn't lose my account.
It’s crazy how simple this can be recreated, the plugin would take less then an hour to make and the website maybe a few hours. Verification is a good way to secure logins (since I own a server) but never sign in with your Microsoft account to get verified on a server. I’ve been reading some other comments its crazy that Microsoft does not explain what is going to happen if you allow access, it gives very brief detail.
One thing i will say on domain registration, you almost always want to privatize your information when registering a domain, i forgot to once while registering a domain for a website, and i was flooded with texts literally every day about "developers" wanting to build me a website for cheap. Doesn't take away from the scam at all just saying its a pretty common thing to hide your information if your not a company
Here's the thing, if it gives access to the gamertag associated with the minecraft account, if you've also bought stuff from the windows store or the xbox marketplace, there's a decent chance your card info, or in the case of a minor, their parents card info, is saved to the account. Getting access to the account doesn't then just give them a free account, it gives them access to that card, even if they can't see the card details to use elsewhere, they can still add their main account as a friend, and then gift themselves games and game currencies on someone else's cash. Granted, there are built in safeguards you can setup to prevent that if your account gets compromised, the most simple being a custom passcode you need to input before making any purchases, but something tells me not many people would have that set up, and less parents would have that set up on a child's account.
That is not how oauth tokens work. Having your oauth token generated from oauth-flow don't give access to your login, and usually they are pretty safe (if you don't provide wrong scopes) (note that there is no scope for account login/password) Probably they are using a page that "looks like a Microsoft login page", but not a real one (check for typos in login page domain) The easiest way to check if login approval link is legit is by logging in the original site of the provider, so when you try to login somewhere else, it wont ask for your password, just for acceptance, since you are already logged in
Let me know if you've ever seen any other servers like this before! And make sure to subscribe!
Join my discord - discord.gg/WGc9UNM
ok
Why tho
Okay:)
@@jarPlays11no
Ok
pretty ironic how migrating accounts was supposed to be for security but instead opened a new can of worms with microsoft oauth login permissions
then the log4shell exploit happened 2 weeks after migration this Microsoft account migration has done more harm than good.
@@AverageNerdGamerlog4shell exploit is unrelated to Microsoft account migration
I mean "safety" was never the point, it was about Micro$oft exerting more control and their policy of "embrace, extend, extinguish." Probably meant to force any Linux players of Minecraft to make a Micro$oft account and to make chat reporting easier. Security is the tried and true excuse for stuff like this.
Suck
Having multiple accounts is and always will be more secure unless you're a brainlet who uses the same password on everything.
It was never for your security, it was always just to bump MS account numbers.
Convenience, freedom, and security are interconnected and getting more of one means getting less of both of the others.
Never knew that phishing of Minecraft accounts could be done this way, though honestly with a name and server domain like that it's so obviously shady
This can easily go past minecraft, many games even on steam could use something similar. This is a very scary thing to deal with and just know is out there.
Anyone who trusts that kind of name is a certified internet noob
@@jayemover_16 On a game with a primary audience of children that's to be expected and something we should take into consideration rather than make fun of.
You were an internet noob too once, don't be elitist just because you can spot a phishing scam.
what do you fucking mean? this is nothing new. It's just that the phishing scam is doing in minecraft instead of some scam youtube bot or discord
Everywhere I go, I see his face.
This is entirely Microsoft's fault. Their wording is vague ("This does not give xyz any additional permissions"?) and there's no warnings or confirmations.
Absolutely, it’s nuts that it doesn’t say it includes access to your MS account! Edit: Access to your Xbox account
Yeah, there's a reason why discord/google give you the scope of the app you're allowing access to, and that's to verify the permissions that the app would have. Nothing other than what's included in that scope is accessible by the app. But yeah, it seems that M$ gives full access to your account without even telling you. 🤦♂️
This is entirely Microsoft's fault. Their wording is vague ("This does not give xyz any additional permissions"?) and there's no warnings or confirmations.
If that MS login permissions list is correct, that's 100% Microsoft's fault - they're giving the app access way out of the scope of what it says it is giving
no, they just don't tell u what it is
@@WalkingBrainTheMathNerdare you stupid or did you just not read? Or both.
@@WalkingBrainTheMathNerdThats what he said
@@dagdnoob true, I kinda misunderstood it
If the MS login permissions list is correct, that's 100% Microsoft's fault - they're giving the app access way out of the scope of what it says it is giving
this isn't an exploit, per se. it's entirely intended behavior, specifically made for 3rd party launchers. the issue here is that microsoft worded their warning poorly. it should make it very obvious that you're HANDING OVER ACCOUNT ACCESS.
Exactly this, just look at how Xiaomi designed their UI for allowing third party downloads on their phones, just google "xiaomi dangerous permission screen"
Unlike Microsoft, Xiaomi decided to add a red warning triangle, a wall of text that very clearly tells you that you would be at risk allowing this, explained in a very clear tone that even a grandma or kid could understand and finally, there is a 10 second cooldown before you can even proceed, after pressing a separate checkbox.
if its open source and can be community peer-reviewed and audited, this is technically not the case.
you also need great op-sec to browse the internet these days
maybe handing over access to an account isnt that good? how about some diffrent kinds of rights for apps so that they cant just hyjack it afterwards
@@fireworkstarter It's not account access, rather it just lets it generate login tokens, aka it can only let it join servers with your name.
This is required for third party minecraft launchers, however as you can see it can easily be abused by scams
@@fireworkstarter there are other kinds of account access, it's just that piglinbrute requested authentication tokens and people got phised into giving them to them
Wow this is a shame, I was actually planning to develop a legitimate Minecraft linking system through Microsoft login, but the fact that Microsoft is giving entire account access to sites you sign into makes that idea impossible without feeling like a red flag to players.
just make sure to set up the permissions correctly, you probsbly only rly need the player ID from the account for most purposes
make it open source and you're good
Why would you need to link it though? How and why does it add anything to anything?
@@tartas1995 microsoft makes sure that sensitive actions (like oauthing applications) couldn't be done by robots
What do you mean by "linking system"? It sounds interesting
Its kind of amazing how messed up the Minecraft multiplayer ecosystem has become. Very, very few servers are fun, safe, and have a good community these days.
I know of servers that are still safe, but yes they are getting rarer and rarer these days. :(
userbase*
@DedRnBrb For real, singleplayer is becoming the only viable option. But it gets kind of boring after a while, after all sharing the results of your work is part of the fun, as is hanging out with friends.
@DedRnBrb Have you never tried just plain old survival servers with friends? Its quite a good time. I burnt out of singleplayer years ago, at this point I just play Vintage Story for the more immersive experience. Minecraft's main draw has for years been multiplayer, but seeing the decay it may not be for much longer.
At this point the average bedrock server is starting to compete
Never thought i'd see the day where some Minecraft servers use the same scam methods as PH ads 💀
Never thought i'd see the day where some Minecraft servers use the same scam methods as PH ads 💀
😭😭😭
I accidentally got ratted on skyblock yesterday so thank you for bringing this to light so nobody else suffers the same mistakes
How tf did you manage that
@kingacrisius he verified a "hypixel" bot to his Microsoft, same as me which just takes ur acc, I recovered my stuff and acc but many cant
Same bro I got ratted a few days ago too cause Microsoft gives zero shits about random websites and so on havin full access to your account
Sorry for you and all the others. Grinding for years and losing everything is never funny.
Personnally I simply stopped playing minecraft because I refuse to link it to a microsoft account, especially because I mainly play solo and I see no reason at all to do it.
But even if I understand that few people want to go to that extreme, I cannot understand why people still accept to give so much access to any games/apps they download.
If you download a game or an app (mobile or PC) that ask you to give a ton of permission that are not necessary, it's *always* to sell your informations and/or to do shady things with them.
I hope that someday people will massively say NO and switch to an other game (or an other server) each time they need to give away all their data for no reason, but I know it's not for tomorrow.
The worst is on mobile, when some people give all the permissions (camera, memory, account,...) to games they do not know...
@@lilnasnusnus7867 maybe you shouldn't give access to your entire account to these random websites yourself.
You live am you learn. Blaming microsoft for what is essentially a mistake on your part will not fix anything
What microsoft could've done is not make it so vague. "Allow app to see and update the data you give it access to" doesn't *really* explain what data exactly.
Either way, letting an app modify data on your behalf is already suspicious
Mojang: We are forcing people to migrate to Microsoft accounts for better security
Meanwhile the better security:
no security?
Microsoft was probably the one who told Mojang to do it so microsoft themselves made the attack surface of the game bigger causing more hackers
@@309electronics5 but mojang is microsot
It's wild to think that every change Microsoft has made to Minecraft has proven to be not only worthless, but actively destructive to Minecraft from every possible angle. Just wait until you hear about what they did to their EULA terms yesterday, they basically gave themselves permission to kill peoples' entire Microsoft accounts if they post unfavorable videos like the above, as well as reversing the old trademark use terms Notch setup, making anyone using the word "minecraft" in anything's title the "wrong way" a criminal overnight. 🤬
"free rectangle and bugrock/yava"
1:37 the "checking physics" thing actually does make sense, bot accounts usually emulate the java edition client instead of actually using it (to save resources and for flexibility), meaning they have to properly emulate the players physics too. it can check if your player falls, and if your player doesnt fall or falls in a way that doesnt seem legit, it can flag you based off of that (obviously this server has been rigged to flag everyone, but thats certainly a normal check)
oh nice!
Thank you for covering this. I have been pushing for this to be sorted out for a very long time. There are so many solutions and yet no department in Microsoft seems interested in doing anything.
Average microsoft moment.
This happens so often in both games and social media accounts. Thank you for calling it what it is when so many people want to call it "hacking". It's not hacking, it's "account theft".
Yeah, hacking is more of things like DDoS attacks, hacking into websites, and other things. Also video game "hacking" is actually exploiting, as they are exploiting vulnerabilities in the game's code.
@@TristanY_A very surprising majority of people don't know the difference between exploiting and hacking. Its kinda sad
@@road__housePeople call leaving their twitter logged in on their friend's computer and that friend making a troll post getting "hacked" it's so dumb
This happens so often in both games and social media accounts. Thank you for calling it what it is when so many people want to call it "hacking". it's not hacking, it's "account theft".
2b2t players: Definitely a Popbob thing.
Watch it be actually popbob
Popbob is a girl 🤫
69 likes on this comment
The popbob sex account duplication glitch
what the heck is a popbob
Man if only there were people smart and brave enough to take out the server at the source in person, maybe some of this stuff will never happen. Thank you for warning us about this.
3:29 we have to thank that one policeman from Scotland for taking down the site
I love the hoops people are going through just to steal some kids' virtual lego account, that virus that was on Curseforge was was impressive for how elaborate it was, im sure the same happens on Roblox as well.
roblox is far more simple, you google "free robux" and you find a pdf file hacked onto a dentist's website that contains a link to a phishing website
If I'm understanding things correctly, they're not just stealing Minecraft. They're getting into peoples' *Microsoft* accounts which will include any personal or payment info associated.
@@SoftisNelaris Yeah and the entry point is some lego game a bored swede came up with one day, since so many kids play it and arent educated on online saftey regarding phishing scams it creates a hotbed for malicious people trying to steal their info.
@@SoftisNelaris Yeah and Roblox has your stuff stored but censored. Although, if you have 5,000 robux (Or maybe more? I don't remember) and you make games for the platform, you can cash out your robux for real money (At the rate of a free money mobile game basically, so not much money, but it's still money that they can take from you). So all they have to do is gain access to someone who has millions of robux, then change the credit card associated with the account, then cash out.
I love how when someone discovers a new account stealing exploit it *always* comes down to them tricking you into giving up account details yourself. The pattern is there people, be wary of it.
Yeah lol. Joining the server yourself doesn't do nothing.
Only if you enter your own credentials, - then something will happen.
Legend says the policeman from Scotland was actually inspector gadget all along!
I like how Microsoft was making glorious claims about their authentication system outperforming Mojang's Yggdrasil and yet ended up here.
And this only possible due to the account migration… ahhh thanks again Microsoft. We all knew this would happen…
This is a very important issue, and I'm thankful you are making the general community aware of it. Some skyblock youtubers have already made a video on this topic a while back, but even hypixel skyblock is small compared to the rest of minecraft, and I don't think you share a lot of viewers with it.
MIGRATION promissed better SECURITY, but all we got is new ways of exploitation.
true, as before the only ways to steal accounts before was through mods and blatant login pages, both not so effective. I have been oath ratted nearly 3 weeks ago, when I joined a discord server for a guild I was in
😢חבי 0:39 😢חהבחבנב😢
Every single time I see something like this I’m expecting it to be something like “just logging on and nothing else can put you at risk” instead of a variation on the same old “oops put my password and information into the shady website and now it’s doing shady things!” Like I’m glad it’s always the latter but it always boils down to user gullibility
5:16 NOOOOOO!!! Hot Minecraft Girls Are Not Waiting For Me!
You clearly understand the OIDC authorization process. I liked how you made a clear distinction between access and refresh tokens. This kind of problem exists for all OIDC SSO technologies because people don't check what permissions they are allowing on their accounts. Nice vid
I was almost a victim of something similar to this through a discord verification tool. It was only due to my experiences with these kinds of things that I had realized what I had done and immediately revoked access and secured my account. Somebody without the years of experience dealing with these things like I do would be none the wiser to this trick. Great video.
Holy shit. Ur the guy from spokes old civ events
you need to be really wary of these micosoft login screens if they say *anything* more than just accessing your player ID.
when multimc asked for similar permissions i had to research it for a couple minutes to make sure i trust them. and i would definitely not give such trust to a random mc server
This reminded me of this crazy situation that happened on skittlemc where players were getting doxed because of a leak or something not sure of the whole story because I was gone during that time. Microsoft shut them down for almost a year for not following certain guidelines. They made a lot of changes in the server to make more acceptable. It also lost alot of the playerbase it once had. I think I accidentally spoke to the doxer who helped me find a job exploit to earn emoney on the server. He later blocked me on discord and he hid his past names on namemc and went off into the unknown somewhere. He was perm banned but they unwhitelisted him then whitelisted him back.
the IP leaking is probably because of Minecraft literally printing your ip in the server console when you join, which is really stupid
@@quantdev Yeah it is really stupid.
I questioned whether I should use a VPN, but I'm worried Microsoft would terminate my account. They've been known for freaking out about people going on their account in different ip locations because they don't permit selling or borrowing people's Minecraft accounts. I don't want them to take my VPN as some else using my account.
Idk if a VPN now would matter anyway because they prob have my real ip stored somewhere.
I don't care that much if the server admins know my location, I just worry about it getting leaked to everybody.
7:40 just a tip, you probably should put a black bar over sensitive information like your email there instead of blurring it out. It's possible to read out some of the characters manually (because of the screen movement) or via using an AI. A black bar is a bit more protective.
Although you can sometimes read it you just have to apply the mosaic then do the movement which soloves the problem
and yes, some AIs can read through blurs but not through mosaic where information is lost
By "blur" I mean blur and mosaics. Some techniques can work through mosaics by applying the mosaic on guesses for letters until a best match is found. They aren't as safe as a black strip over data.
@@sajeucettefoistunevaspasme blur loses data aswell, but you can still see through it. Same with mosaic.
The checking physics thing is actually real on some servers. some clients tend to have physics modifications, for example meteor client where you for some reason take falldamage from 3 blocks instead of 4. this is an anticheat to detect if people are running certain cheats or certain clients. A good example is Purity Vanilla. It's an anarchy server where no cheats are allowed and this system there works so well that people are barely able to join with cheats on.
What makes this particularly ironic is that one of the reasons given for the migration of Minecraft accounts to Microsoft accounts was increased security. Instead this has increased the attack surface for people's MS accounts. At least back when Minecraft Java accounts were separate the damage was limited if your MC account was phished/hacked.
Technically it did. That just a side effect. It just matter of convenient and security.
You guys seems fine having 1 steam account for several tens of MP games and your credit card. Yet annoyed when using a separate account for Ubisoft, EA or Epic, but they provide increase security by the fact it is separate from each other
Pretty much the same is happening in older CODs, the problem is that the servers are still directly hosted by Activision
It's literally safer to play cod on modded clients other than the fact that they have anticheats & better servers in general
You are actually lucky if they only steal the Minecraft account token. There is a similar phishing attack on discord. That one has the Microsoft authentication set up in a way where they can change your email and password to kick you out of your Microsoft account.
A way to stop other people griefing servers that you play on can be asking the server owner to implement login security mods so you can only log in with a password.
or, hear me out, whitelist
@@truerandomchannel That wouldn't work here since the griefer in question would have access to your account, unless you used an IP whitelist I suppose.
@@truerandomchannel No I mean if somebody steals your account or you are sharing your account with a sibling or friend
@@ashleybyrd2015 The login security mod makes you log in with a password on the server that isnt saved to the server instead of your account and therefore they wont be able to access the password.
@@felixchen1796 I was responding to the person who said "or, hear me out, whitelist"
We’re the server host features in this video and may have been in the thumbnail for a while, we’ve since taken both servers down - the Minecraft server and the strange phishing site itself - note we have zero control over the domains but were the host of the servers 🥲
We were only informed of this phishing Minecraft server today after the video was released, we would’ve appreciated being alerted before releasing the video, but at least it’s taken down now 😅
We do not tolerate abusive services such as phishing, malware, hacking (without ethical hacker / security research credentials), etc.
We never expected to end up featured by a 600k sub Minecraft RUclipsr, but we at least appreciate that you didn’t place the blame entirely on ourselves 😅
~SG123 - CEO @ Privex ❤️
True Chads right here.
You know it’s a good day when mister epic uploads
yup
never heard that one before
it all seems fake though, the document is full on trolling and he throws it out there like its real lol
I remember once i joined a discord server being advertised as a giveaway server, and It asked me to verify using this method. It looked so sketchy and I am now so glad that I didn't click verify.
Thanks to TheMisterEpic's videos about these scams, it has made me better at spotting them. Keep up the good work :)
Funny thing is, the microsoft page where you change the permissions is "under maintenance" and has been for some time now.
"You can get no info" was so badass tbh
This is thankfully easy to avoid. It can be made more elaborate if went like: This server is modded, here's the modpack you need: ... Then you'll get a malicious mod, it can even go and say, don't forget to share this modpack with with your friends! Or you can make it better by actually letting the person in and require another player to access a feature, it'll attract more players duss more accounts to steal. So stay careful outhere giving credentials.
The checking physics thing totally makes sense. Knockback, falling and similar stuff is all mostly handeled on the client
That one policeman from scotland was definitely in charge of the whole investigation.
"Southern district of Sweden"
Maybe they wrote that cause the furniture they had in the offices was purchased from a nearby Ikea.
The moment a server ask me to give them my account i dip out. Why anyone would give up their info for a server is beyond me.
When he says no pressure for the subscribe button I can feel the pressure building in my mind as he continues the video.
i thought there was some crazy session exploit or smth, and then its just a phishing scam, my disappointment is immeasurable and my day is ruined
Thanks for the account security, Microsoft! I feel so much safer now! 👍
This is the funniest phishing scam ever. I wouldn't be surprised if they made this just because it was so unbelievably easy.
I remember encountering a scam like this on Roblox around 2009 & said to myself “No way this will still be around in a year”
14 Years later:
Just wanted to say, I am thankful I have never been hacked before. My ip was once leaked, but that was more than 5 years ago, and I use a vpn since then. Just like the video explained, Its really easy to be baited into giving your info, even though it looks like the same screen a 3rd party launcher would ask for. So I think that as long as you never enter your account info in verifications, you should be good.
This happened to me but on a discord server. Thank you for making everyone aware of these.
Dang, I really like that people like you make these videos to warn people about these account thieves, especially since it's extremely hard for even Mojang and Microsoft themselves to prevent this stuff, even though they've made efforts in the past. (BT dubs, I felt targeted by those guys when you said younger, more susceptible players.)
It's not hard for them to prevent this, this is literally pure stupidity by Microsoft to design a dangerous screen to look like that.
who would EVER join a fake 18+/nsfw server in a kids game 💀
I was wondering the same thing lol. Same with who would click a link of a server like that to verify yourself.😂
To be fair... It is blatantly obvious that its a scam. A server about 18+ roleplay and "hot minecraft girls" that immediately asks for your personal info upon logging in? Yeah sure seems legit... If any server made me click a link with a popup asking for access, I would immediately bail.
Let's take a moment to appreciate how he makes his videos it's seems like a interesting history lesson with music in back ground to make it more dramatic. This video keeps my interest
This happens in Hypixel Skyblock Dungeons- the party finders that say "Free Carries for joining Discord server" have discord servers that have verification websites exactly like this. I almost fell for it once lmao
From mass content farms, RUclipsrs basically scamming children on p2w servers, and people straight stealing accounts in ways I didn't even think possible it's nice to see somebody genuinely caring about the player base and helping inform the masses for us to be wary.
wow thats amazing there still doing this! I logged into a server like this back in like 2014
As a cracked player i see this as a absolute win
Lmao
Holy🗿
As a player with more than 1 braincell i see this as a absolute win
same. been playing Minecraft since 2010 and never gave Microsoft/Mojang a dime
@@Kitulousi dont think thats a thing you should brag about.
5:05 damm, if you would say "over and over, again" it would fit the music a lot
You'd think a captcha itself would make people avoid places. "Why do I have to do an extra ANNOYING thing just to visit this place that I know nothing about and is only slightly alluring?"
I guess people just want to be ANNOYED maybe?
Captchas suck. The one on the Roblox website was so excruciatingly difficult and when I finally completed it, it gave me this
“An error occurred”
🤬
RUclips buffering doesn't want to let me watch
This is why I’m glad I only ever play on locally-hosted servers I make with my friends, lol.
"Hot Minecraft girls are NOT waiting for you."
Man, I'm dead. XD
🤣🤣
Comic Sans is the worst crime, tbh
this is actually the same page you get directed to whenever you play a gamepass/ms store game for the first time, making it seem less malicious
“Join out of curiosity” 8:04
They should make account tokens its own OAuth scope. Maybe having one service-specific token for misc services, but then they can request to use a different service token, then have that clearly outlined. The way they worded it is that they can view what details you have on your xbox profile, NOT login tokens.
Just what I'd do to resolve this.
I used to have something like this to troll my friends, But this clearly got out of hand
Highlights the questionable morality of companies data mining users. It’s a bloody big security risk.
This is why I don't even go on servers anymore tbh. It's better to make sure things are fine routinely and occasionally play on singleplayer or with friends on a personal server
Something similar happened to me when I signed into steam through a fake login screen. With in 1 minute I lossed my account
Sounds creepy. Thanks for causing awareness about these kind of methods
Its sad to see, that mojang doesnt care about this issue..
4:40 domain privacy services are very common and quite often included with a domain. Not really sus as most people wouldn’t want to have their real address and phone number publicly accessible. Also they don’t register “on behalf” they just proxy communications (you put their address instead). Love the video though - nuts.
i remember a few weeks ago i tried to go into this server out of curiosity because i thought it was funny not knowing it was an actual account stealing thing. I joked around with some friends "lol there goes my IP" and instantly removed the account connection from my account not realizing how BIG of an issue this actually was. Jeez, I almost got my stuff YOINKED, thank god I'm really strict with my security stuff.
3:00 the music makes me think of something you'd see on pirate screens
In bedrock I've joined servers where, after joining and playing in them, I suddenly found myself having to relog into my microsoft account, often more than once a day. One time it was so bad I almost lost the ability to log in (something messed with the log in box). All of them were cross-play servers, and so far I still haven't found an explanation for it.
Huh. Weird. I haven't seen that with my personal server with Geyser installed, so either they borked their configs or something shady is happening. Geyser itself is fine, (in terms of security) whatever server you're connecting to may not be.
4:08 expires today
That type of microsoft verification is commonly used in skyblock discord scams. I got my account hacked by it once, but managed to recover it.
The Microsoft Consent page is currently under maintenance :D How fun.
Meanwhile mojang is banning servers for having guns
Thx for informing us dude
Wow I can't believe that Microsoft account security is worse than Mojang account security.
I bet Microsoft realy was excited and happy when they got to buy the game from notch implementing their things.....
I've seen a few videos about something similiar, it's quite scary, but there is one way around this from happening, use common sense. As harsh as it may be, most victims don't see the blatant red flags. Seen a similiar system used, instead of having a server like this, instead a discord "verification", which suprisingly a decent amount have been tricked by it. I wouldn't recommand allowing any launcher to get permission to the account, even the ones that seems legit.
fire video as always, thx for the information
it is goddamned appalling that microsoft even _lets_ any app request permissions that broad. there is absolutely no use case that is more worth catering to than the catastrophic risks are worth avoiding.
Almost had my account stolen once by this method, I wanted to join a discord server but you needed to verify. Luckily I found it a bit suspicious so didn't lose my account.
It’s crazy how simple this can be recreated, the plugin would take less then an hour to make and the website maybe a few hours. Verification is a good way to secure logins (since I own a server) but never sign in with your Microsoft account to get verified on a server. I’ve been reading some other comments its crazy that Microsoft does not explain what is going to happen if you allow access, it gives very brief detail.
the migration was advertised as a way to improve account security yet its easier to steal accounts now than ever before
I mean, in order to get your account stolen, you need to join the server, and have little internet security consciousness.
Interesting stuff, as usual :D
Hm yes 5am maybe its time for me to sleep oh wait TheMisterEpic Just uploaded,Well guess i wont get sleep tonight
One thing i will say on domain registration, you almost always want to privatize your information when registering a domain, i forgot to once while registering a domain for a website, and i was flooded with texts literally every day about "developers" wanting to build me a website for cheap. Doesn't take away from the scam at all just saying its a pretty common thing to hide your information if your not a company
Here's the thing, if it gives access to the gamertag associated with the minecraft account, if you've also bought stuff from the windows store or the xbox marketplace, there's a decent chance your card info, or in the case of a minor, their parents card info, is saved to the account.
Getting access to the account doesn't then just give them a free account, it gives them access to that card, even if they can't see the card details to use elsewhere, they can still add their main account as a friend, and then gift themselves games and game currencies on someone else's cash.
Granted, there are built in safeguards you can setup to prevent that if your account gets compromised, the most simple being a custom passcode you need to input before making any purchases, but something tells me not many people would have that set up, and less parents would have that set up on a child's account.
It's like troll-griefing on 2b2t, but that's whole troll-hacking.
All these names make no sense than mocking on hacked ones...
Wow, that site got taken by the Office of Inspector Gadget? I really wonder what they could've done to get on his bad side!
That is not how oauth tokens work. Having your oauth token generated from oauth-flow don't give access to your login, and usually they are pretty safe (if you don't provide wrong scopes) (note that there is no scope for account login/password)
Probably they are using a page that "looks like a Microsoft login page", but not a real one (check for typos in login page domain)
The easiest way to check if login approval link is legit is by logging in the original site of the provider, so when you try to login somewhere else, it wont ask for your password, just for acceptance, since you are already logged in