There Will Never Be a Minecraft Exploit This Powerful AGAIN.
HTML-код
- Опубликовано: 27 апр 2024
- A minecraft exploit of a magnitude so powerful it's almost unbelievable.
Check out BuiltByBit for all minecraft server goods! - builtbybit.com/themisterepic/
My Patreon (exclusive censored content, plugins and worlds) - / themisterepic
--------------------------------------------------------------------
Want to run your own minecraft server with friends or a community?
Get a 25% discount on hosting with code "Epic"!
shockbyte.com/partner/themist...
--------------------------------------------------------------------
Checkout @zman1064 video - • Becoming ADMIN on a Pa...
Thanks for watching! Subscribe and Join My Discord!
Discord - / discord
Twitter - / themisterepicyt
Twitch - / themisterepicyt
Join My Minecraft Server (1.8-1.20): og-network.net
- Website: og-network.net
- Discord: / discord
0:00 - Intro
0:55 - The Minecraft Exploit Hierarchy
5:22 - Force OP.
10:46 - The Exploit?
14:07 - Vulcan AntiCheat.
16:05 - The Exploit.
17:37 - But How?
19:21 - It Begins
25:04 - Last Ditch Attempt - Purple Prison
Music Used:
1. Discovery - New World Game Soundtrack
2. Realize - Flowing into the darkness
3. Scott Buckley - Decoherence
4. Scott Buckley - Catalyst
5. Scott Buckley - Machina
6. Lemmino - Cipher
7. Lena Raine - Rubedo
8. C418 - Flake
9. Scott Buckley - Escape Velocity
10. Outlandr & Dani King - Dynamiser [NCS Release]
11. C418 - Living Mice
If there is any content in this video which you own and would like removed, than please contact me and I will be happy to oblige.
#minecraft 
Игры
Huge shoutout to BuiltByBit for sponsoring this video, if you are interested in anything minecraft and server related, please check them out - builtbybit.com/themisterepic/
ok
you didnt do sponsors before
April fools video, dupe on your server 😎
what's that sick ass dnb track that plays during the exploit of purple prison? nevermind, that's in the desc.
please put an epilepsy warning if youre going to have things like 0:53
Players manage to bypass your servers spawn protection. What do they do with this newfound incredible power? Dig straight down
Neuron activated
Big brain
A scale so large, it won't happen again
100%
@@TheMisterEpic 99.99999999999999999999999999999999999999999% Lmao
@@surge1229 thats not how that works
Biggest plugin(s) will contain at least 1 oversight.
What if there is something even worse than that? Perhaps being able to absolutely remove the server from the existence? Time will tell, people are still unaware of potential possibilities that are still unknown for them
“Once in a decade exploit”
*remembers log4j error, a Java exploit that allows you to run code remotely on any computer through a string value, something far more powerful than a simple /op*
Keep in mind, that's not a Minecraft exploit, that's a security vulnerability in java
@@TheMisterEpic still WAY more powerful than any other exploit has been yet
Sure, but not a Minecraft exploit
@@TheMisterEpicits actuly a exploit in one of minecraft dependencys
@@CuteistFox ain't cuz you can run it on minecraft that it's a minecraft exploit though...
It confuses me how it took so long for anyone to find this. Yeah, not everyone is going to think "maybe if I rename this chest to the name of a server UI chest, it will give me that UI," but the process is so simple in hindsight that I'm surprised that it wasn't tested sooner.
From idk how none of the devs did a check if you had the permissions or not. Its like if typing rm -f / on Linux never checked to see if you had root privileges and just ran the command anyway or if windows just let a guest account delete system 32 without checking if they were a admin like how does the biggest anticheat for Minecraft miss such a simple crucial check
it probably wasn't found cause a good chunk of people who play don't really know how these plug ins work as it was a paid service, and if you are wantin to troll you don't exactly wanna put actual cash into learning how a plug in works to exploit it
@@tux_the_astronaut because it isn't the biggest anticheat for Minecraft, Grim is
@@tux_the_astronaut rm -rf /* doesn't need root, because if you don't have root it'll delete everything that it can delete without root
generally, the simpler the idea, the more likely people are to think it has already been tested
Today's Fact: In 2020, researchers used quantum entanglement to teleport information between two chips in a silicon-based system, a major step forward for quantum computing.
cool
that sounds like fast internet speed
Thank you facterino
Yeah…but the silicon-based system does have quantum crystals right
Ant man did it first fr
16:28 “this isn’t the most powerful forceop exploit ever, this is the only forceop exploit ever”
We just gonna pretend bungeespoofing doesn’t exist
Yeah, he forgot the true biggest exploit, literally applied to any server with bungeecord
im pretty sure there are different adaptable parent server exploits too
it's the most powerful and the least powerful
from what I understand, this was already well known for a long time and fixed in other proxies like velocity by design
or UUID lol
Man, when you were describing the hierarchy, I had an idea: I make a server donation plugin, one that has a built in dupe exploit. One the server owners have to buy- in other words, the explicit purpose of the plugin is to gank P2W assholes.
probably wouldn't last long, but it would certainly be funny
99% of servers use tebex/buycraft, wouldn't work
they all use tebex/buycraft, so there is no real way to make another donation plugin
@@maasnelsonhailey218 It's not about the damage, it's about sending a message
That idea is SO GOOD and so CRUEL... I love it,,
That ending took it from "Yeah this is powerful, but unless you're careful it can always be rolled back" to "Holy hell, this is a _deadly_ exploit."
this is... a very, very old and basic oversight that has been done (and will be done) by many plugin developers that want to use chest GUIs until bukkit/paper/whatever implement a standardised solution.
ofcourse it's hardcore that this has happened to a big anticheat plugin and there's no checks whatsoever after opening the menu, but the ground principle of "opening renamed chest to get to GUI" has been around for a long while
There is already a standardised soloution for years, inventory view instances. The developers just used a decade old method.
there is, its called InventoryHolder
@@game_time1633 didn't know that, is that added from bukkit, spigot or paper?
@@SaschahiGG from what I remember Bukkit? Correct me if I’m wrong though, but yeah pretty sure that was bukkit.
@@SaschahiGG InventoryHolder is years old, dates back to at the latest 2016, when I started plugin development, it was THE way to do inventories so to use the old method, in my opinion, you're just asking for problems
I recently found a 1.7 dupe:
1. Lock a hopper.
2. Open your inventory with e
3. Use q to drop items
4. Close your inventory
5. Right-click the hopper. This resets your inventory.
6. Go back to step 2. Repeat ad infinitum.
make a video.
stay safe there 1.7 servers, the 3 of them.
lol@@xfi6658
yes. the 2 defunct ones and that weird 1 anarchy 2b2t clone@@xfi6658
@@xfi6658yeah why would people use 1.7 when 1.8 exists
I would like to provide some insight into this as I am an amateur server dev, and this exploit came from a very large oversight.
So server chest guis work by having inventories and using the event to detect when someone clicks an item (as you described)
What likely happened here was that the developers of vulcan forgot to add proper item checks to what they were clicking, so the server just assumed that they had permissions. Yes, there should be permission checks there. However, it is (from what I've seen) standard practice to add checks to the item clicked such as it having lore (meaning the player couldn't have modified it to have that lore), so that you don't ever accidentally detect them clicking an item in their inventory.
The oversight of not adding permission checks isn't as egregious as not having the proper item checks for the gui, as its the very first thing you HAVE to get right.
You're on the right track, I'd also like to provide some insight as an experienced dev.
A lot of (especially beginner) developers compare their inventories by title - this means that to check if a GUI opened by a player is the GUI that the plugin wants, it compares the title of the GUI. This is wrong on multiple levels - the video shows exactly why.
You were correct about the lore-for-the-item thing, but also not 100%. From my experience, it's standard to use NBT data for an item (add a tag that identifies this item) - this way it's completely fool proof. On versions of 1.14.4 and above it's especially easy to implement with the PersistentDataContainer API.
I legitimately can not believe this even occured like this, NBT acts as a key, why did they feel the need to use the title which everyone can change?@@roughlyunderscore
beyond that, not even checks were present, leading to a fatal flaw
@@Omega-mr1jg Yep. Basically a lot of rookie mistakes - overlooks that were done due to the sheer complexity of the rest of the plugin. The developer probably didn't put too much thought into the GUIs because those were not even close to being the main focus.
why would even anyone use this old rookie method for custom menus, when you can make a menu by implementing InventoryHolder and don't have to care about permission checks 😭
In Insanity on 23:03, you actually got OP access. However, some permission plugins can override commands to use the permission system rather than op access. That's why you cannot use commands but can see spy messages, they configured that incorrectly so you can see.
"If you reinforce a door by making it impossible to break down they'll just destroy the door frame"
Or climb in the open window.
Tbh the funniest thing that you could do is add /stop to random flag and make staff wonder what the hell is happening
That would have been hilarious ngl, especially if the exploit never ended up becoming known by many others
27:52 "Everyone's owner", now that is what I'd call an anarchy server
nice profile picture bro
@@ryan_765 Thanks, yours too
2:44
"Rare but not that uncommon"
come on man just pick one
Lmao
I head that too. Must be a mistake in the script
theyre rare(hard*) to find but pretty common since they are frequently found anyway
Corny ass video and script lol, good video but my god these kind of youtubers just try so hard to make it super dramatic, it's minecraft ffs LOL
@@RRareGaming how?
"what i dont like is unethical gambling" then proceeds to blow the server the fuck up in retaliation (w)
He then helped them solve the problem so he effectively did nothing. If he were actually against it he would’ve done damage he said he could do
This is so wild I'm writing a college level security report on CWE-94, I'm going to source this video as an example of injection code as it is loosely related to it! Great video!
As a professional developer who used to create hacked clients for Minecraft (this was 5 years ago at this point though), I can very much say this: It isn't impossible to find exploits like this, and if people with genuine cyber security backgrounds where to look at Minecraft, they could likely exploit it within the same week, it's just that they have better things to do than stare at a block game.
People do it all the time. He’s a server owner himself so there’s clear bias (he actively defended and helped purple prison which promotes gambling to children)
I feel like your exploit scale is missing a tier, log4j was known as an RCE exploit, which should be far more powerful than forceop. For example, if multiple servers exist on a single machine, you'd only need to attack one. Or you could steal/modify sensitive data, or install malware/ransomware directly to their server hardware.
that's not a minecraft-specific exploit, it affected a lot of java-related stuff in general, not only minecraft
@@JustVldKsh Read the comment again. No where it said its a minecraft-specific exploit. They only wanted a new RCE exploit tier.
@@kidscreativitys The video was talking about Minecraft exploits, but yeah an RCE exploit tier would make some sense
@@SolTheIdiotIts still a exploit anyone could abuse nonetheless
@@JustVldKshI mean the JNDI lookups were able to be turned off so the fact that Minecraft didn’t kind of makes it a Minecraft exploit.
i think its crazy that people still find ways to terrorize servers
On all pre-1.13 versions, by creating a piston with data value 6 (invalid rotation), it will crash the game whenever powered or whenever it recieves a block update. It is also an update suppressor and can get you block 36, half beds, half doors, floating blocks, piston heads, etc.
its the one used in 2b2t right @@bennyl9228
Terorize? I just want in on some fun. I keep trying to look for reliable dupes, but everything is so ''secure'' nowdays.
@@vytautaszygelis1106🫤 look for the dupes yourself
@@vytautaszygelis1106 nothing more fun than ruining your own/others' experience and fun and reducing the entire game to a pentesting playground before promptly leaving the game until another exploit is found.
The panic server owners must have felt because of this is hilarious
Fun fact: you have been on a hungarian server it was the one with the ban reason being "hi fan, what are you doing?"
25:04 Scott Buckley's music really works very well with this scene
100%
"This vulkon the worst exploit ever" Log4Shell: "Hold me beer."
I saw some other people talking about this, could you explain it to me :P
(and possibly how to do it ;))
@user-kz1zc7vm4l log4shell was a Java exploit that easly allowed you to execute remote commands to the players computer, is not even in the server, they could easly get all you information saved in your computer, crash it, infect with malware and a lot worst. It was a Java exploit and not a plugin one, they fix it very fast but some damage was done. Also it wasn't minecraft exclusive since a LOT OF THINGS works using Java, so just imagine the possible damage. Once in a life exploit, one of the most or the most powerful exploit ever
@@EmanuelLopesS2 this vulnerability existed for a very long time and it was not taken advantage of but when it did, it made playing Minecraft an actual security problem, especially on Minecraft servers and the ones where there are hackers around that can just remotely enter your computer and do anything they want to do.
Log4j exploit is one if the most insane exploits to ever exist in digital computing
@@CDZ1309 person above me explains it
@@CDZ1309 ruclips.net/video/w2F67LbEtnk/видео.html
To any aspiring plugin developers trying to avoid this happening to them: just use interfaces that extend from InventoryHolder and check the type of the inventory, don't bother with inventory titles or item names. Not only will it avoid this issue but your code is gonna be so much easier to read and maintain because you don't have to deal with strings and a complicated if/else tree
Thanks a lot
Just checked a tutorial on it, it's much better than the usual ways people learn to make inventories
you mean like extending the inventory class? wdym
Or.... dont. Or just let some people enjoy something instead of patching shit out in mere hours. There is already enough fucking grinding and other bs in real life.
@@vytautaszygelis1106 are you real?
@@iilwybots can cope and seethe too lmfao.
Very cool and detailed video about this Vulcan exploit and I think we may not see something like this again in the near future and I am still bothered that I was not able to actually use it myself as there was not enough time after the owners of Minemalia discovered that we were accessing their Vulcan menu and as I said we did not know that you could edit punishment commands which we found out afterwards when they had already alerted frep.
One thing I would like to add is that there is a way to access the main GUI without knowing its name. In my case I used a feather and the chest title "Check Types" which allowed me to access GUIs without knowing the name of the main GUI.
It is quite a mistake not to check for permissions on the GUIs, which should NEVER happen, but to be fair, frep handled it very well by releasing a free patch for everyone. But I think there will be a lot of servers vulnerable to this exploit for a long time to come.
Also the video was unlisted, since I released another one right afterwards which included the aspect of Force-OP. :)
@@CCBlueXhi ccbluex. was fun trolling minemalia XD
Hi
Hi
Hi
If that ever happend to me, i'd call my friend Micheal.
i think it'd be better to call saul
Thank god for michael
man its okay to just say u wanted to mess with minecraft servers with a funny exploit idk y every channel like this acts like they r on some crazy moral highground
at 28:33 that /save-all mustve felt SO GOOD hahahha
26:54 very nice dutch person in chat
iknow hahaha
Comment I was looking for
as someone whos been making inventory guis and other various minecraft stuff, i can say that the statement at 18:20 is incorrect, it is *VERY EASY* to check if the inventory instance is correct, and check permissions accordingly. But even if it wasn't, if you're doing scripted events when clicking a gui button, that should 100% BE BEING CHECKED!
I can imagine an issue arising where players spam open inventories to lag servers
If it needs to run a check *every time* anyone opens any inventory, imagine the lag from just 2 or 3 accounts just spamming e
@@tacticallemon7518 yeah except it does that check anyway, but for the container name
Also opening an inventory and opening a container are entirely different operations, spamming e wouldnt even trigger that check
That ending felt like I was watching Team Avolition again.
This was absolutely insane. Last time I was involved in something like this was when iTristan gave me a 32k sword.
Idk about anyone else.. But seeing the sun SIDEWAYS at the start is cursed to hell.
I love how whenever the character has to climb up to the very top of the hierarchy, he is always just out of reach of the top, but the video "glitches" and all of a sudden he is on the top. unexplicably.
very poetically shown
Still can't believe they were just checking the name of the inventory and not using `instanceof`. It's incredible that this is even possible. Wow.
I think they should @Deprecated and @ForRemoval it. It truly is a bad option. Tho, I used it for years, it's time for a change.
You shouldn't even instanceof them, you should check if it's a specific instance of the inventory
@@russianyoutube oh hi, I know you
@@XnoobSpeakable oh hi, I know you too
My server which averages around 200 players got nuked by a competitor server and they deleted our saves causing us to have to remake some aspects of our server, it was not fun
Log4J was the “Once in a decade exploit” for Minecraft servers, and many other things of course.
Log4J wasn't just a "once in a decade exploit" for Minecraft, it was a "once in a decade exploit" for literally the entire internet.
@@brandon9172original commenter alsp said "...and many other things"
@@brandon9172 Yeah, this exploit doesn't even come close to that.
27:00 that was so fucking fun to watch lmao, the background music and editing makes it so entertaining and epic
Ah yes, the good men and women of Purple Prison's finest. The Purple Prison Moderator Team: Vigilant, but incompetent.
Half the mods on that server literally false ban you for the stupidest stuff. Like one auto hackusated then banned me just cause I so happen to run forge on 1.8.9 yeah OK but for OptiFine only! Effing tards.
Remote code execution exploits are even higher up on the exploit pyramid. You can literally edit files on the server.
this is why exploits need to be fixed super quick so people don't destroy sevrers
This is why exploits don't need to be fixed because they are more fun to have than to not have
@@fatfurryMinor exploits bugs and glitches can be fun, but fundamentally comprimising exploits are not
@@ionisator1 🤓
@@fatfurryok clown
@@ionisator1 Dont care. I wanted to try this. Cant. Why? Because its fucking gone. Tried to find dupe exploits. Cant. Why? Cause fucking monkeys patched them out.
It’s actually amazing how far some of the community’s knowledge went, to actual force op exploits. As much damage as this has done, it’s actually baffling.
I remember this happening to a small server, the exploit was dangerously abused on it; even going as far as leaking IP addressess and saying sensitive words using the broadcast command.
24:40 You really did test it on a variety of servers...
I love that you've showed a translation aswell. :D
rivalsnetwork my beloved
"Le flight" tho instead of expiration
I like how the reason he got banned is just so Hungarian.
@@definetly-not-real I also like how there's probably at least three Hungarian people in this comment thread, and we're all speaking in English. :D
@@definetly-not-real mennyire igaz
What a lovely message on the bottom left at 6:54
spotted that also
I guess Mister Epic didnt notice that otherwise it would also be blurred out
Wtf. I reported this to the Vulcan developer a while back and he fixed it within about an hour. I had no idea it was this big tho. The chest you click on in the inventory does not have to be named btw. Only the inventory name matters.
No way bro finally launched an effective attack on purple prison
I absolutely loved watching this especially with good noise canceling headphones the choice of music was amazing
In Minecraft wiiu all your need to do is change some memory addresses and you can do basically anything you want with and make it impossible to be removed.
That's messing with console/disc code
basically an equivalent to hacked clients/mods
@@MC_CN Yeah you can edit the system memory in real time with a tool called TCP gecko, clients do exist for Minecraft though and at there core, they are simply modified versions of the minecraft.rpx (the core of the game)
So no disc mods needed just some homebrew
Yes if you have physical access to something you can do anything...
@@MC_CN damn RUclips deleted my previous reply to thsi
@@DorperSystems I'm talking about modifying address on, _your own_ system to trick the game into thinking that your the host
The person who found this first was a german youtuber named Garkolym, he made a video about it on January 22
Those random flashing lights with no warning is crazy
ThatMisterEpic's final checkpoint everytime: Purple Prison 😂
I love how PurplePrizzon disolves into chaos in only a couple of minutes. It just goes to show how powerful this exploit is!!
the absolute misery you unleashed on purple prison brought me unspeakable joy
mann it's crazy what people find out how to do
As a developer that has worked on dozens of plugins involving hundreds of inventory GUIs, I take issue with the statement that it's difficult to check. One of my main go to methods of implementing chest UIs was to create a custom inventory container class similar to how all standard inventory types have their own class in the code. Internally in logic it would be identical to a chest UI, but I could then test the player's currently opened ui's class against my custom one. Opening a normal chest or player inventory would result in the currently opened inventory's class being PlayerInventory or DoubleChestInventory (or equivalent as the names have changed at various points in times) but they would not be the custom class.
On top of that considering the UI is accessed via command and Spigot servers have events for opening and closing inventories in addition to just clicking in the inventories, it's not difficult to keep track of the current inventory of the player.
All of that is then on top of basic permission checks, it's odd. And it's even stranger that the developer removed the UI entirely instead of just adding the checks to the code. The developer obviously knows what they're doing as making an Anti Cheat is not something someone does on a whim, especially one so well received, so it's baffling this got through.
There is a force op in 1.2.5 and below that you didn't mention. Back then the Minecraft protocol wasn't encrypted. What this meant is that the connection between clients and servers were not secure and could be tampered by anyone in a MitM attack. The force op worked by getting an admin of the target server join an attacker controlled server. When joining the malicous server, the malicous server would then try and login to the target server and forward the handshake packet back to the admin's client allowing the malicous server to successfully login to the target server as that admin. The malicous server while logged in with the admin account could execute any command including op. The malicous server doesn't have to forward any other packets back to the admin so it can just kick the admin with an error message or have them join a fake server so it isn't suspicious.
Man imagine being gone for a second and everythings gone and everyone has op 😂
With great power comes great responsibility ❌
with great power comes exceeding great rarity ✅
"What a cool looking minecraft server! I wanna go play it." *Joins server and sees the chaos* " oh my "
such a well put together video. Hats off to you mr epic
Hacker: Lets use an exploit!
TheMisterEpic: Lets use the only forceop exploit!
Haha, le classique demonstration of the first rule of networking - "Never trust the client"
This is actually insane. Kudos to finding it, I hope the purple prison devs didn't get too mad at you
I found something somewhat similar where there was a bug in the server perms setting where I just had access to “/op” in the main lobby when I first joined.
It was noble of you to show restraint with this exploit. If another group discovered it, imagine the mayhem that could have been caused.
Except Purple Prison. XD That poor spawn!
@@CrioChamber spawn is really easy to reverse, im 99% sure a server like purpleprison has their own build server where their builders can build then turn them into schematics to be pasted at the live server
@@qrae_qrae6629I mean, I didn't think they wouldn't have a backup somewhere, just before they rolled it back that spawn got oofed.
@@CrioChamber nonetheless, if purple prison didn't have a backup, fuck them LOL
I just love the part when the music starts playing and EVERYTHING escalates COMPLETLY - I love how you cut you Videos Epic, thank you for making videos - I just love it!
its very nice to know that the minecraft server community moves at lightning speed when it comes to some kind of danger to their servers
My man let Purple Prison off like crazy, even helped them get back up.
Damn and they could've saved so many people money by stopping Purple Prison entirely.
This feels less like a permission issue and more like an input sanitization issue. Not sure if it has to do with Minecraft or the anti cheat but there should be an input sanitization process that should prevent just renaming something to get access to a console.
man, i've been following zman since the unturned days. crazy to see him come so far
It’s wild their excuse was “it’s extremely annoying and hard to program” like bro when the command is set to execute put to check a list of approved users to execute. So hard.
In your exploit hierarchy, you missed a tier above ForceOP: Full server control. This is where Log4Shell sits.
And even higher: total RCE. Being able to run code on other players' systems. I think log4j could do that?
is there an exploit that allows you to goto anyones house irl
Related to the video, this is really both interesting and scary at the same time
Coming from someone that used to play on Purple Prison, this was amazing ❤️
Literally The Purple Prison mods: "I don't get paid enough for this."
I like the glitchy transitions you have
I'm not going to lie, when you use the exploit on Purple Prison, I could not help but laugh XD. I used to play on that server when I was younger but now me being an adult I understand what money is and what kind of a server Purple Prison is. I know that exploits can be harmful to servers but this one takes the cake and it really caught my eye. I am not an expert with technology or dupes or exploits and all that but I just like watching them and learning more about them. Keep making awesome videos!
perfect end to the purple prison arc
It's funny that, to this day, many mods/plugins still use custom names of items to branch the behaviors of that item from the original implementations. I personally prefer going with the built-in NBT tags system. It works well along with the OOP concepts and cannot be easily tampered by players. Though in Vulcan's case they should've used controlled commands like what old-school NCP does in the first place.
cant believe Vulcan used inventory titles to distinguish inventory GUIs LOL thats so terribly coded
it is NOT difficult AT ALL to use a HashMap which maps the player to the inventory object when the inventory is opened and only handle click events on that GUI
this kinda reminds me about a roblox bug naming your character lets say bosscampos, so boss camera position, so the game would get confused cause there are 2 files named the same thing so it would freeze and bug the game
ik this isnt that relevant i just wanted to share some thing cool
"Vulcan was good, really good..." meanwhile sending a stop breaking packet every 15 ticks:
As someone who's tried running their own Minecraft server for me and a friend to play on, this is both terrifying but also interesting and amazing at how much had to go wrong for it to work.
Should have destroyed the hell out of purple prison, and cripple the server ENTIRELY. A once in a decade expliot could have gone to use and destroy this P2W server, and yet you choose to tell the staff of said server. SMH dude
The fact that /op is a thing makes situations like this dangerous. It's so straightforward to understand that gets you too many permissions. Why can't server developers just remove it and add a MFA for promoting anyone to moderator or higher level statuses?
Good point, Any permission past basic moderation should require MFA to give out properly, /op can literally be executed at any time.
As a skript developer myself I can confirm it is a major pain to do this, but it can be prevented by placing buffer characters like colored spaces after the text is finished like "GUI&a &r" this fixes all your problems and makes it virtually impossible for players to open this gui. I can confirm that like every skript I have seen doesn't check perms, but the all use colored text and that makes it impossible for players to get UI named this way. Third mistake most people missed is that Vulcan checks it based on the item clicked as opposed to a slot, which is kinda of a bummer
I allow players to put colours in anvil. Slot checking would have been even easier to exploit, just click the empty slot where Manage Checks was supposed to be.
This video is on another level! Keep up the amazing work MrEpic ❤
I love how revalsnetwork just says: hello my fan what good are you doing? in Hungarian xd
Még én is meglepődtem, hogy RivalsNetwork, mondom "Ez mit keres ezen a szerveren?" XDDD
The story telling in these videos is actually insane, keep it up!
🤖
Stop appearing everywhere you chicken
Kurczak is chicken
One of the small to medium Smp that I am a mod/admin/co-owner for but got griefed by the "the mole group" or something like that via the Vulcan exploit on 31/01/2024 around 8:30 pm AEDT.
We managed to recover within 1-3 ish days after it.
One of the examples at the 10:24, 17:25 & 28:03 mark by the griefer who did this on the SMP I was on, plus it hits home
but thx for covering this TheMisterEpic 💜
Edit: I've shared this with the owner of the server :p
i know that you wont find this but good luck on the future of ur content
This exploit has been known for other plugins for a loong time now... not much of a surprise that it would happen to more popular plugins at some point
Skip to 10:10 to save 10mins of overdramatized buildup
JFC flashing lights warning at 0:50
Insane quality video bro ❤ love your work keep it up ❤
i remember finding some OP bugs years ago they were fun, my favourite was on modded servers that had the sponge wipe to edit signs, go to an admin shop and edit the sign to give @player op or whatever the syntax was. worked on a surprising amount of servers at the time but i'm sure it's fixed by now