It's crazy that you can still do this stuff in 2023. You'd think having the OFFICIAL Mob Vote server nuked would be enough incentive to try patching these exploits but ig not.
@@hrmm_9 by making an actual good server backend. on java its basically impossible to run operator commands or spawn in items with packets cause inventories are verified by the server through a lengthy process. currently on bedrock the server just accepts whatever you send it without any security measures or checks, which lets you do things like this with very minimal effort edit: patched but still inexcusable for a lot of these
What's crazy is I used to play Mineplex Bedrock daily even streaming it, until I was met with hackers who placed bedrock around their cake in cake wars and tp killing players. The thing is you can't even "accuse" players of cheating on their server. This was around 3/4 years ago and nothing has changed since, for a game worth billions of dollars and making billions at the same time it's a complete disaster. Shame nothing will ever be done about it. A+ Video as always
I remember this, how it worked/works as far as i recall was that you used a combination of "notick" as well as a clientsided gamemode 1 along with some specific moving around you did in your inventory to prevent the items from becoming ghost items, then there was also .enchant commands that let you make 32k items
Lack of anticheat is a problem, but the real problem is the fact that bedrock servers TRUST the client for inventory data! This is something that was patched in Java edition back in ALPHA! This was only a few versions after the initial server software was released. Meanwhile, bugrock has been out for years and still struggling with the same issue.
Literally what I was about to say. Even 2b2t isn't this NUTS. Mojang just can't/don't want to do their job right. It's not their problem as long as they make money after all 😒
bedrock is non negotiably the most broken version of minecraft. one time i was playing split screen and the left half everything was tinted blue except my character
Bedrock is a perfect game, with no Glitches at all 😅 Really though, Switch Bedrock (what I play) is garbage. Glad I started playing Legacy Console again since I still had it. That actually runs smoothly on Switch while Bedrock can lag a ton, just with 2 people that are literally like 1-2 miles apart.
@@paulhudalla9527 As a Bedrock Player I can agree that Switch Players got it bad compared to other versions of Bedrock (Haven't played Switch but most of the things I hear/read on the Bug Tracker are from Switch Users)
Rule #1. Never trust the client. Always validate all data sent to the client. Yes, some cheats can be hard to detect/prevent, but the client should never be able to just "get" items.
@@holymeto9981 I think he means that you need to have your game check data coming from the client to ensure it is data that should be coming from them, so that you can only execute commands if you are allowed to
It is utterly ridiculous that Mojang has no protections in place at all for Bedrock edition. One of the first things you do before you release a multiplayer game is to make sure the client can't manipulate how the server processes information. I wouldn't even necessarily consider such a precaution as an anti-cheat measure. It's just common sense.
Yeah its not even an anti cheat that's meant to prevent this, its coding in a way so the client can't modify data that should only be changed by the server or check the data the client is sending to make sure its actually possible.
Yeah. It is the same like a bank allowing to send any arbitrary data and not validating it so you could just "transfer" yourself 1000000$ from any account or something like that.
I've been a victim to this! I had a small world for survival and invited someone. They put on an inappropriate skin and quickly switched back, so I got suspicious of them. Within 2 minutes later their friend joins and asks for access to place blocks. I neglecting did, and they went kinds far. They placed one of these blocks, and executed commands such as the title command, fill command for every player, and totem noises, giving me a jumpscare. I've since blocked them, and reported them. But I HIGHLY doubt that Microsoft cares at all, and will do anything about it.
@@itzadam_ ah yes, another person who thinks calling out the fact that my name is stupid (which is the point) disproves my point atleast it's more creative and memorable than "itz adam" might aswell call yourself "dave" or "steve" at that point
How does the client even have the ability to create and/or edit items??? There's clearly some bad client trusting code floating around. Can't be too surprised considering bedrocks messy development history where it was initially single player only, and gradually evolved from that to peer2peer to dedicated servers. Fascinating stuff.
@@chrissametrinequartz9389 You can spoof packets in Java edition too, but if it's to generate/change an item in your inventory the server just won't accept that. You can see this when you have an item desync: your client tells the server to do something with this item, and the server tells the client that item doesn't even exist, then it disappears from your client. If servers just blindly trusted clients and did not checks, the Internet would not function.
As someone who's in several discord servers for a while now, I can say that Microsoft is actually doing their job! (Kind of) 1.19.60 patched the exploit that clients like Horion have been using to spawn items. But crash exploits and combat hacks remain as functional as they have been for years.
@@tpkowastaken Haven't heard of crashing being patched, I can go look and see if Zephyr's exploits work (Yup, teleporting out of bounds still works on the integrated server and on realms 🤦)
I had one of these happen to a public realm I was a admin on and I managed to solve it pretty fast by just disabling command blocks and killing all command block mine carts. It was a challenge for the team to give everyone who was online back their gear
@@Clip_It1 I would say yes but they have no discord and rely on adding members though that Xbox find group thing so it’s ridiculously annoying to find/join
Even Minecraft Java's default "anticheat" is better than this, you can see that with ghost items: your client says "I have this item" that got desynced and the server responds with "lol no you don't", it seems like Bedrock doesn't even do that kind of check.
I’m so glad to see larger channels finally looking at the bedrock community because it’s kinda getting horrible at this point. The group that crashed the mob vote servers have done so many awful things it’s insane
There's also the "4D" skin situation. Most featured servers block these skins, but almost any non-featured server has no restrictions against them. Usually they are just skins with fancy geometry. Although, some people figured out importing real 3D models as skins, and because of this, I have a full model of Young Link from Super Smash Bros. Ultimate as a skin. It lags the hell out of people (sometimes even me) because it's so high poly.
@@uropig That's interesting. Didn't think it could be bypassed. It would be nice to do that, honestly, just because I have the Mario Mash-Up skin pack on PC (through some means I won't explain) and it'd be funny for people to see the skins that are supposed to be platform locked.
Ah, good 'ol Bugrock. I haven't touched it pretty much since Pocket Edition became Bedrock, it just devolved so quickly. At this point I've lost most hope in Minecraft servers, large servers tend to be bland, mid size server struggle with an ungodly amount of issues that Minecraft was never really designed to handle, and small community servers tend to fade away. And of course Bedrock is just a trainwreck. Once again, I think my main hope at this point is just that Hytale (or some other game!) will do it better.
@@shadowcomputing Literally exists already for java and (I'm not sure) maybe for bedrock too It's not an easy exploit and it needs the ability to obtain specific rare items to use, but it basically shuts down any server in seconds, however, upon restart there is a tiny vulnerability window of time which malicious users can exploit sometimes but it's easily patchable using any non vanilla server.jar (like papermc).
The reasons for why this stuff works is a bit wrong. The fact that they inject into the game has nothing to do with it, and while an anticheat can prevent them they shouldn't be needed. Java edition clients are able to and do modify packets, but the vanilla game on java edition has checks in place to verify that items should actually exist. On bedrock the server software just accepts whatever its sent. So you can just tell the server you crafted whatever you want and it just goes "yeah sure craft that stack of command blocks". Same thing goes with enchanting etc. Bedrock is just horrible network-wise and allows for much more packet abuse than java edition. Had a lot of fun with this on my old client :)
I should also mention that bans on servers are literally useless despite bedrock allowing for device bans alongside ip bans, the device id can be spoofed and ip bypassed with a vpn. Alt accounts are free since the ownership of the game is linked to your microsoft store account, but the ingame account can be any xbox account.
I know im writing a lot here but I'm sure someone would find this stuff interesting so heres one last thing regarding anticheats and kill aura. Kill aura on bedrock is a lot harder to prevent through an anticheat because you have to deal with touchscreen players who can tap on things to hit them regardless of it they are looking at them or not. You can check what platform a player is on but just like with the device id, the platform can be spoofed so that servers think PC players are on mobile.
In the latest 1.19.60 release, Mojang patched all the inventory transaction vulnerabilities and because of this, .cbe, .nbt, .dupe, etc, and the toolbox item changing by changing their nbt are patched. And because of this, both Toolbox and Horion clients are facing a lot of problems, and from 2 weeks Horion client has not supported 1.19.60, but Toolbox did but a lot of things are broken in it. Although, the combat related hacks still work, but server and realm crashing exploits are all patched.
@@Noone-ff4qd Actually, you are wrong. In a game, there are some vulnerabilities/faults left in a game and people use those vulnerabilities/faults to exploit the game or hack the game. But, the inventory transaction vulnerability has been fixed by switching the inventory transaction which was done by the client-side to server-side. Let me ask you a question, can you change the code, or values of a world which is hosted by a server and you are a normal member in that server, probably not because it is done in server-side and you can't change server-side stuffs, that's all.
Ever since the Toolbox community realized that the inventory modifiers like NBTs, Give items and Enchant weren't working, they have been talking about it and the developers have found a workaround, which was implemented in Toolbox Beta in 1.19.63. There are even some clients that MODIFY Toolbox so that you don't have to watch a 15 ou 30 seconds ad in order to gain access to some hacks, including NBT, Give and Enchant. It's not even just Toolbox. There are clients that even modify Toolbox so that Toolbox *itself* is hacked.
This is why I don't even bother with playing on featured servers besides Cubecraft or Hive, Cubecraft literally has a warning every couple hours reminding you of how many players they've banned. In my opinion unless your server has a proper anticheat you shouldnt be allowed or elligible to be a featured server at all
I think it's worth noting that in the latest update (1.19.60) mojang claims to have fixed inventory and nbt hacks. It'll be interesting to see how this change affects hack clients, unless they quickly find workarounds of course.
This is why I only find myself playing 2 servers, the hive and cubecraft where the anticheat is far better than lifeboat or Mineplex, it's sad to see how far lifeboat has fallen
You can also go to richard's channel (one of horion devs) and see that there are nickname change exploit, skins with custom and malicious models. Btw if exploit doesnt work on BDS (Realm server software) that doesnt mean that it wont work on other servers, for example on Hive there are no reach limit for blocks, which can lead to funny situations on bedwars when 1 person can break every bed or obstruct bridges (may be patched because I did that 3 years ago). Also there were commands for editing command and structure blocks in paid version, now there no paid version, but I think they are currently mocking mojang and microsoft.
As a used to be long time member of one of these groups, i can confirm that alot of these nbts can do this. You can do soo much with nbts that it is insane ranging from simple diamond armor to enchanted grass or smg to illegal items to edited blocks that crash games.
I would say this is the most dangerous bedrock exploit, and for java it would be the chunk and the book ban (For those who don’t know, the book ban (or whatever it is actually called) is where a player fills a shulker with written books, each filled with writting. The shulker is filled, then given to another player. This kicks them as it sends to many packets to the server, however they cannot rejoin. The only way they are able to rejoin is by there inventory being manually cleared or inventory accessed by a mod and the shulker being removed
It's actually easily avoidable. Don't pick up weird shulker boxes from anarchy players. common sense, literally as common as not typing your passwords in the chat.
Will you ever cover Vintage Story servers? As far as I'm aware it does have a system of privately run, publicly available servers just like Minecraft, but there's virtually no information to sort through them all. Might be worth a look some time, considering its a fun game and Minecraft servers are in a rather sorry state.
As someone who used to be a admin on a realm i spent alot of time on, nuke/NBT's are so annoying, there was also a discord server that someone put a bunch of realms on a crash loop by just having its realm code(the owner gave up soon after becuase rerolling hlthe servet did nothing to fix it), crazy what trollers and griefers can do just to mess witj people
As a bedrock mod for lifeboat it’s very hard to counter these hacks so for now the only way to combat this is just by doing normal modding and player reports. As time goes on we are figuring how to combat this. The nukers have been pretty much figured out but arua kill and etc. is still a issue
This brings me back yo the days of before mobile games started storing important data like paid in-game currency onto servers and it was super easy to modify currency and other stuff
Cheats are only more powerful on bedrock because the community hasn’t caught up with java’s anti-cheat. And I think java cheats are entering a new era. Clients are constantly testing the limits of anti-cheat so it’s an arms race.
Bigger servers do have an anticheat, but the problem is that Minecraft doesn't send packets for things that anticheat developers need Right clicking detection isn't possible for example due to the client having a spam bug, which happens when the player is looking on a block, holds right click down and is moving his cursor a bit And there are so many other things which bedrock messed up or just didn't implement what leads to the current situation with hackers being around everywhere
There's a reason why most people crap on Bedrock edition, and this is why. You shouldn't be able to do this just by editing your inventory on the client.
This is why I don’t play small servers anymore on bedrock, small servers have worse anticheats (most of the time) and that I only play on the bigger servers.
idk if u know, but these couldve also been used on P2W realms and servers, we in NRIS have been using crash methods that we had linked to an auto crasher to crash the most P2W realms and servers for a month because mojang never took any action to them.
If your realm or server gets nuked, turn off command blocks with the settings then make a copy of the world, it worked with the version that happened to me
@qy9 had the world on friends of friends so I didn't know the guy and neither did my friend really lol, definitely put it on invite only when ever you create a world
Tbh if this happens to ur realm all u got to do is load a back up from 10-20 minutes ago n it will go back to normal n ban the person that did it I had this happen 20times now and I beat them Everytime
once someone invited me to a realm i used tool box but all i did was spawn in some cameras and nether reactors i didnt feel like griefing cuz it was only up for 30 days and hasnt been up since so he never waisted money
Remember in the oldest versions of minecraft java edition where you could give yourself any item on a public server? yeah, this is basically the same thing happening here, but on the latest version of minecraft bedrock. The reason this happens is for the same reason it happened on java, it is because the inventory management code is client sided, meaning the client sends a packet to the server when their inventory changes. The server should be handling this code, but in bedrock, the client handles it. This means a malicious client (by malicious I mean a client which has something injected to it) could just send a fake packet that gives them whatever item they want. This doesn't sound too harmful? Well that would be the case, if only you couldn't manipulate NBT data of the inventory items when sending the packet. They way people get kits is by giving themselves a shulker box, and because they can manipulate the NBT data they can add whatever items they want to the shulker box they gave themselves with the exploit. The reason that people can execute console commands is because beehives, movingblocks and buckets of axolotls, with the proper nbt information supplied, can in-fact execute commands. So, these people just give themselves one of these with the malicious NBT data attached and use it to execute malicious commands on the server.
The mister epic: I am just showing you guys don’t actually do this. The comments: “I know what I am going to do” “Time to take out some pay 2 win servers” “Wonder if this would work on my friends realm”
I can't imagine how such a thing like that can happen. When creating a client/server application, you NEVER EVER check the validity of an action on the client. You should never trust the client. Even if the code is not open source, eventually people will find the way to hack it. You should always save the inventory of the player on the server, it should not be possible that the client can modify their inventory. This was fixed in Java right after Multiplayer was released. Imagine you log into a website and it asks "Do you know the password?", you answer yes and it just lets you in, without checking whether you entered the correct password.
Rule 1....like the first thing you SHOULD learn as a programmer when doing anything network related is the following phrase "NEVER TRUST THE CLIENT". If anything, I seriously doubt the quality of Bedrock's internal code if the client is able to change the internal state of a server. This means potentially Bedrock servers don't do any server-side checks to ensure a client behaves as one would expect.
Honestly, this might sound bad but I hope the hackers don't stop so more people go to java addition. Edit: I know many people don't have access to java. I thought about that. I was thinking it would get more people to research what java is. The ones who barely even knew about java what it is like. This is a stretch but it could even make Mojang want to make java cross platform. But that probably won't happen because Microsoft is greedy and wants in-game purchases. If you think this is wrong LMK.
@@lunar07 That version is literally a scam. People watch yt which is mostly about java edition, then they get confused why they can’t can’t join hypixel after begging there parents. It doesn’t matter if they don’t have a pc, they didn’t wanted to play that version in the first place.
@@qy9MC well not everyone is quite as knowledgeable as we are and so people will not realize they're getting the wrong product as they would assume that it would be the same as they see. And how does not having a pc /=/ not wanting to play the version? You could very well be aware that there are two versions but you cannot access java since you don't have a pc.
This is great, the more that new players suffer, the more they'll want to turn to Java Also, crashing with 1 block isn't anything new, you can do it on Java if there are no Plugins stopping you and you have creative, the crazy part is the fact that the server just lets you make arbitrary nbt in survival on bedrock
I remembered when toolbox worked on cubecraft so smoothly like I unlock nether in skyblock in a week, I could have done it in an hour but their admins were so much of tryhards
Biologist: we come across a bee nest and wait for the sun to show itself. as the first buzz of bee... wait what the heck is that? Oh no, is that the fabled command hornet? I've heard rumors about them and... Command hornet: /kill @e[type=homo sapien] Biologist: I've got a bad felling about this. Humanity is now extinct.
Hey, old bedrock hacker here. I've stopped playing now but the situation is worse than you think. I used to play skyways and bedwars and I could pretty much just summon sharpness 32K swords and destroy everyone. Good times, and thanks for bringing attention to this
Год назад+1
Such a useful video. Thank you so much. Had this happen on an anarchy server I ran and was baffled by the way the beehive was causing this to happen.
I remember a long time ago before they added commands to PE that there was an app called "PlugPE" or something that would put a fake player in your offline world and would allow you to use commands. I'm surprised that it even worked in the first place, and the fact that it probably still would work now...
great video, but there's two main points i want to make here: 1: the reason all of the NBT/item stuff is possible on bedrock is because the server is not "authoritative" of the inventory. the client player can literally say "yeah uhh i got 64 diamond blocks" and the server just agrees. this is actually fixed in newer versions of their server software and i have heard it's on some realms now, which is great. 2: there is no (moddable) dedicated server software for bedrock edition, so there is a lot of disconnect between the different featured servers and how they work. most server softwares are built entirely from the ground up, and the more janky servers (such as lifeboat) use old, slow community server software that is hard to develop on and immature in its development
@@mrdiamond64 you are correct, but they have not taken traction yet really for one reason or another. bdsx is relatively immature if I remember right, but I can't say for LiteLoaderBDS as I don't know
This video couldn't be timed better as the exploits have now just gone patched. Inventory data (including nbt data) is now managed by the server and not the client. This fixes gamemode exploit, .give command and those nbt loaders. Also They managed to break the client used in this video and now it crashes minecraft. This means that you can no longer just wipe servers (thank god). But the cheaters problem is still present but they at least have the same priviliges as java cheats. In case you wanted to try it out yourself (or even better patch it for your own server) you can use the ambrosial client and insert zypher in minecraft.
I remember when I played pocket edition i used an app called mcpemaster of the play store that basically gave me world edit and the ability to spawn in any item even some that seemingly didn’t exist even on other peoples worlds.
Wow, I don't know what is crazier, the fact that doing this is possible in vanilla servers or the fact that microsoft doesn't care about this and hasn't fixed this crazy exploit..
I guess I've technically coded some really annoying nukers, I once made this thing called THE INSURGENCE, and it summons a command block that summons a falling block every time it executes that a falling block exists, and that means every tick it doubles, within like 1 second your whole world has like 1024 entities already spawned lmao.
I used a Bedrock Client (Onyx) not for the Nuking or anything but to have something like the F3 Screen on my SSP as I tend to do Redstone and Farms and very much of a QoL thing (F3 Screen, On Screen Compass, On Screen Clock, Chunk Borders basically things found on Vanilla or Vanilla+ Java) And before you ask I play both Java and Bedrock and I find it hard to go back to Java because I don't know mechanics there
this reminds me of, when i was younger, i would play a skyblock server. but someone came over and gave me an item. it wasn't the same as this shit, but it crashed me, and made it unplayable to touch the server ever again
The problem is, it's like criminals and police. The police are always one step behind because they don't know what the criminal is going to invent next. Servers can't patch cheats that they don't know about, and when they do, the hackers invent a work around, meaning there is always going to be cheating... I would go back after a few months and see if they have caught up with hackers or not..
Honestly, this really should be on Mojang to fix. They need to implement code in Minecraft that protects the validity of the client code to prevent DLL hijacking attacks like this. Potentially also updating the server code to request a set of hashes for the client libraries to validate against that server's accepted versions. It wouldn't even be all that hard...
As a former bedrock realm moderator, I remembered how annoying it was to take ppls 32k, and my freind made a way to clear those certain stuff useing commands. You can see why I don’t play anymore
I guess it’s a good thing I never felt like playing Bedrock multiplayer. I rarely even play Java in multiplayer, but Bedrock just seemed like it’d be tricky with mobile controls.
I dont have much experience with multiplayer (i made 3 multiplayer games, 2 unfinished) and have 0 experience with Minecraft hacking I think the problem is being able to modify your inventory on your client instead of it being changed only by the server
The brainrot is somewhat funny, though, imagine knowing you will completely ruin someone's survival experience, and then expecting them to support your youtube channel and discord server.
This reminds me of some old school halo combat evolved hacks. We used to use console commands to spawn modified guns and as soon as someone without the hack picked up the gun, it would crash the server
FINALLY someone spoke up about this! Its such a big problem when some random bozo can just join my casual survival world and destroy it in seconds! This needs to get fixed.
Bedrock players, if you want a good server not infested with cheaters, join og-network.net (Port: 19132)!
Server Discord - discord.gg/G7zq6NPZnM
lol
I play it its fun
yawn
i know how to fix the issue with the pie chart
(keybinds helps)
It's crazy that you can still do this stuff in 2023. You'd think having the OFFICIAL Mob Vote server nuked would be enough incentive to try patching these exploits but ig not.
the issue is how would they do it
@@hrmm_9 by making an actual good server backend. on java its basically impossible to run operator commands or spawn in items with packets cause inventories are verified by the server through a lengthy process. currently on bedrock the server just accepts whatever you send it without any security measures or checks, which lets you do things like this with very minimal effort
edit: patched but still inexcusable for a lot of these
There are too many to patch
bedrock 1.19.60 patched it
They actually DID patch it.
What's crazy is I used to play Mineplex Bedrock daily even streaming it, until I was met with hackers who placed bedrock around their cake in cake wars and tp killing players. The thing is you can't even "accuse" players of cheating on their server. This was around 3/4 years ago and nothing has changed since, for a game worth billions of dollars and making billions at the same time it's a complete disaster. Shame nothing will ever be done about it. A+ Video as always
@shadrYT
The crossover we need
I remember this, how it worked/works as far as i recall was that you used a combination of "notick" as well as a clientsided gamemode 1 along with some specific moving around you did in your inventory to prevent the items from becoming ghost items, then there was also .enchant commands that let you make 32k items
Asking Microsoft to do something right with their IPs is a fruitless endeavor. They don't give a rat's ass unless it affects their wallets
Ah yes, Mineplex at its finest
Lack of anticheat is a problem, but the real problem is the fact that bedrock servers TRUST the client for inventory data! This is something that was patched in Java edition back in ALPHA! This was only a few versions after the initial server software was released. Meanwhile, bugrock has been out for years and still struggling with the same issue.
Bedrock
It's really strange to me that such a big game would trust the client at all with important data?
No. Thats wrong. The server can decide who stores the inventory data.
@@Buddelbubi Then how come a hacked client can modify nbt data server side on bedrock but cannot do the same in java?
Literally what I was about to say. Even 2b2t isn't this NUTS.
Mojang just can't/don't want to do their job right. It's not their problem as long as they make money after all 😒
bedrock is non negotiably the most broken version of minecraft. one time i was playing split screen and the left half everything was tinted blue except my character
I think I have a picture of it somewhere
Bedrock is a perfect game, with no Glitches at all 😅
Really though, Switch Bedrock (what I play) is garbage. Glad I started playing Legacy Console again since I still had it. That actually runs smoothly on Switch while Bedrock can lag a ton, just with 2 people that are literally like 1-2 miles apart.
undertale
Of course. Java is the perfect version, where you can walk around in the end and not die randomly, as Ph1lza can testify to that.
@@paulhudalla9527 As a Bedrock Player I can agree that Switch Players got it bad compared to other versions of Bedrock (Haven't played Switch but most of the things I hear/read on the Bug Tracker are from Switch Users)
This could be put to good use in destroying P2W Bedrock servers.
patched in most recent update
@@wildymcas a wise man said, if there's a will there's a way.
I have never seen a single pay to win bedrock server
@@SmitePlayz_ pixel paradise
@@SmitePlayz_ literally any of the main bedrock servers
Rule #1. Never trust the client. Always validate all data sent to the client. Yes, some cheats can be hard to detect/prevent, but the client should never be able to just "get" items.
What you mean?
@@holymeto9981 I think he means that you need to have your game check data coming from the client to ensure it is data that should be coming from them, so that you can only execute commands if you are allowed to
@@rory8182 Ok so you guys are relying on our morals to not cheat 32k items in even if we weren't operator? Is that what you meant or I misunderstood?
@@holymeto9981 yes, the current system just assumes that the client is working as intended and isn't sending data that is incorrect
@@rory8182 So this is a « just because We could, doesn't mean we should, as it would be cheating and immorale» situation?
It is utterly ridiculous that Mojang has no protections in place at all for Bedrock edition. One of the first things you do before you release a multiplayer game is to make sure the client can't manipulate how the server processes information. I wouldn't even necessarily consider such a precaution as an anti-cheat measure. It's just common sense.
Yeah its not even an anti cheat that's meant to prevent this, its coding in a way so the client can't modify data that should only be changed by the server or check the data the client is sending to make sure its actually possible.
Yeah. It is the same like a bank allowing to send any arbitrary data and not validating it so you could just "transfer" yourself 1000000$ from any account or something like that.
And the weird part is, they KNEW cheats existed when they made bedrock, but ignored that problem anyway!
@@abirdpilguy3211 but you still cant do something as big as executing any command you want on the server
These clients only allow for client side modifications, don't affect the server at all.
I've been a victim to this! I had a small world for survival and invited someone.
They put on an inappropriate skin and quickly switched back, so I got suspicious of them.
Within 2 minutes later their friend joins and asks for access to place blocks. I neglecting did, and they went kinds far. They placed one of these blocks, and executed commands such as the title command, fill command for every player, and totem noises, giving me a jumpscare.
I've since blocked them, and reported them. But I HIGHLY doubt that Microsoft cares at all, and will do anything about it.
Yep Microsoft 101, they won’t manage it for you and they won’t let u manage it for yourself.
"inappropriate skin" 💀💀💀
@@fortnitesexman says the person called fortnite sex man
I'm so sorry for your lost! Hopefully someone else can be a good friend to play in your world!
@@itzadam_ ah yes, another person who thinks calling out the fact that my name is stupid (which is the point) disproves my point
atleast it's more creative and memorable than "itz adam" might aswell call yourself "dave" or "steve" at that point
How does the client even have the ability to create and/or edit items??? There's clearly some bad client trusting code floating around. Can't be too surprised considering bedrocks messy development history where it was initially single player only, and gradually evolved from that to peer2peer to dedicated servers. Fascinating stuff.
they spoof the packets
@@chrissametrinequartz9389 You can spoof packets in Java edition too, but if it's to generate/change an item in your inventory the server just won't accept that. You can see this when you have an item desync: your client tells the server to do something with this item, and the server tells the client that item doesn't even exist, then it disappears from your client. If servers just blindly trusted clients and did not checks, the Internet would not function.
believe it or not, bedrocks inventory is actually client side.
yes. really
@@LiEnby *facepalm*
@@LiEnbymojang actually changed it everything to do with items is server sided now.
As someone who's in several discord servers for a while now, I can say that Microsoft is actually doing their job! (Kind of) 1.19.60 patched the exploit that clients like Horion have been using to spawn items. But crash exploits and combat hacks remain as functional as they have been for years.
I was halfway through writing a comment, then I saw this.
Crash exploits are fixed too aren't they? Or do you know about any?
@@tpkowastaken Haven't heard of crashing being patched, I can go look and see if Zephyr's exploits work
(Yup, teleporting out of bounds still works on the integrated server and on realms 🤦)
Combat hacks are not that game breaking. just annoy,ng for users
@@Choroalp fair
I had one of these happen to a public realm I was a admin on and I managed to solve it pretty fast by just disabling command blocks and killing all command block mine carts. It was a challenge for the team to give everyone who was online back their gear
Best way is to just have a command block that instantly kills npcs and command block in minecarts
@@haminice Realized that after looking up what the hack was and quickly added the command blocks
May I join this realm? If so do you have discord?
@@Clip_It1 I would say yes but they have no discord and rely on adding members though that Xbox find group thing so it’s ridiculously annoying to find/join
@Caseslayer115 I don't have xbox tho, I only have Nintendo and phone
Even Minecraft Java's default "anticheat" is better than this, you can see that with ghost items: your client says "I have this item" that got desynced and the server responds with "lol no you don't", it seems like Bedrock doesn't even do that kind of check.
yes, though if u go back far enough (i.e alpha something) you actually can spawn in items there, but that was before items could even hold NBT so .
I’m so glad to see larger channels finally looking at the bedrock community because it’s kinda getting horrible at this point. The group that crashed the mob vote servers have done so many awful things it’s insane
I am a realm owner and I have had my realm crash not once, but twice one guy even held it for ransom.
There's also the "4D" skin situation. Most featured servers block these skins, but almost any non-featured server has no restrictions against them. Usually they are just skins with fancy geometry. Although, some people figured out importing real 3D models as skins, and because of this, I have a full model of Young Link from Super Smash Bros. Ultimate as a skin. It lags the hell out of people (sometimes even me) because it's so high poly.
Video link?
there's a way to force these to appear on featured servers, I've seen people use this to force custom capes/pretend to be mojang staff
@@uropig That's interesting. Didn't think it could be bypassed. It would be nice to do that, honestly, just because I have the Mario Mash-Up skin pack on PC (through some means I won't explain) and it'd be funny for people to see the skins that are supposed to be platform locked.
I didn't even know "4D skins" were a thing... :U
this is insane.... I don't remember it being like this back around 2019 when I was a bedrock player....
Its basically non existent on the hive Minecraft Galaxie private realms and servers with your friends
Great video! I always enjoy your videos, they're so interesting even if it's a really obscure topic.
Thanks :)
@@TheMisterEpic ur welcome
Wow... And I thought the regular Java-based MC exploits are bad.
yeah somehow microsoft couldn't find devs with any networking experience whatsoever
@@atsizbalik I heard that Bedrock is mostly developed by Microsoft. They are even sitting in a different location.
@@atsizbalik Microsoft developed bedrock, mc Java was made by Mojang
@Abird Pilguy bedrock accounts also get stolen. my friend had an old account (back in like 2019 or something) and it got stolen.
Ah, good 'ol Bugrock. I haven't touched it pretty much since Pocket Edition became Bedrock, it just devolved so quickly. At this point I've lost most hope in Minecraft servers, large servers tend to be bland, mid size server struggle with an ungodly amount of issues that Minecraft was never really designed to handle, and small community servers tend to fade away. And of course Bedrock is just a trainwreck. Once again, I think my main hope at this point is just that Hytale (or some other game!) will do it better.
Look at mine test
Pocket edition was always bedrock though, the console versions just merged with pocket edition.
Let's go! Mr. Epic back with another epic video!
@@ell..... nice one bro
If in-game items can be modified server-side by the client, I wonder if there is a scarier exploit that allows code execution
I was thinking the same thing, this could be wayyyyy worse.
like the Log4Shell exploit?
@@ItsUtopia_ Yes, but on the server, not the player’s computer.
It's Micro$oft, so probably yes
@@shadowcomputing Literally exists already for java and (I'm not sure) maybe for bedrock too
It's not an easy exploit and it needs the ability to obtain specific rare items to use, but it basically shuts down any server in seconds, however, upon restart there is a tiny vulnerability window of time which malicious users can exploit sometimes but it's easily patchable using any non vanilla server.jar (like papermc).
The reasons for why this stuff works is a bit wrong. The fact that they inject into the game has nothing to do with it, and while an anticheat can prevent them they shouldn't be needed. Java edition clients are able to and do modify packets, but the vanilla game on java edition has checks in place to verify that items should actually exist. On bedrock the server software just accepts whatever its sent. So you can just tell the server you crafted whatever you want and it just goes "yeah sure craft that stack of command blocks". Same thing goes with enchanting etc. Bedrock is just horrible network-wise and allows for much more packet abuse than java edition. Had a lot of fun with this on my old client :)
I should also mention that bans on servers are literally useless despite bedrock allowing for device bans alongside ip bans, the device id can be spoofed and ip bypassed with a vpn. Alt accounts are free since the ownership of the game is linked to your microsoft store account, but the ingame account can be any xbox account.
I know im writing a lot here but I'm sure someone would find this stuff interesting so heres one last thing regarding anticheats and kill aura. Kill aura on bedrock is a lot harder to prevent through an anticheat because you have to deal with touchscreen players who can tap on things to hit them regardless of it they are looking at them or not. You can check what platform a player is on but just like with the device id, the platform can be spoofed so that servers think PC players are on mobile.
I don't know why but the idea of command block bees just cracks me up
In the latest 1.19.60 release, Mojang patched all the inventory transaction vulnerabilities and because of this, .cbe, .nbt, .dupe, etc, and the toolbox item changing by changing their nbt are patched. And because of this, both Toolbox and Horion clients are facing a lot of problems, and from 2 weeks Horion client has not supported 1.19.60, but Toolbox did but a lot of things are broken in it. Although, the combat related hacks still work, but server and realm crashing exploits are all patched.
This needs to be pinned or something
They aren't patched
They change the item values again
They never fully patch it
@@Noone-ff4qd Actually, you are wrong. In a game, there are some vulnerabilities/faults left in a game and people use those vulnerabilities/faults to exploit the game or hack the game. But, the inventory transaction vulnerability has been fixed by switching the inventory transaction which was done by the client-side to server-side. Let me ask you a question, can you change the code, or values of a world which is hosted by a server and you are a normal member in that server, probably not because it is done in server-side and you can't change server-side stuffs, that's all.
Ever since the Toolbox community realized that the inventory modifiers like NBTs, Give items and Enchant weren't working, they have been talking about it and the developers have found a workaround, which was implemented in Toolbox Beta in 1.19.63. There are even some clients that MODIFY Toolbox so that you don't have to watch a 15 ou 30 seconds ad in order to gain access to some hacks, including NBT, Give and Enchant. It's not even just Toolbox. There are clients that even modify Toolbox so that Toolbox *itself* is hacked.
This is why I don't even bother with playing on featured servers besides Cubecraft or Hive, Cubecraft literally has a warning every couple hours reminding you of how many players they've banned.
In my opinion unless your server has a proper anticheat you shouldnt be allowed or elligible to be a featured server at all
Ive been seeing a lot of NBT videos on my fyp. And honestly they scare me with how badly they can ruin servers and realms.
I think it's worth noting that in the latest update (1.19.60) mojang claims to have fixed inventory and nbt hacks. It'll be interesting to see how this change affects hack clients, unless they quickly find workarounds of course.
Who would win?
Any Bedrock server, even official ones set up by Mojang themselves
A beehive
The beehive stands no chance except if he uses steroids like command block minecarts
If this were any other game, I think the server would win.
This is why I only find myself playing 2 servers, the hive and cubecraft where the anticheat is far better than lifeboat or Mineplex, it's sad to see how far lifeboat has fallen
You can also go to richard's channel (one of horion devs) and see that there are nickname change exploit, skins with custom and malicious models. Btw if exploit doesnt work on BDS (Realm server software) that doesnt mean that it wont work on other servers, for example on Hive there are no reach limit for blocks, which can lead to funny situations on bedwars when 1 person can break every bed or obstruct bridges (may be patched because I did that 3 years ago). Also there were commands for editing command and structure blocks in paid version, now there no paid version, but I think they are currently mocking mojang and microsoft.
Bro people out here finding some of the most craziest ways to crash servers its getting insane i wonder what will be next.
As a used to be long time member of one of these groups, i can confirm that alot of these nbts can do this. You can do soo much with nbts that it is insane ranging from simple diamond armor to enchanted grass or smg to illegal items to edited blocks that crash games.
This is why I back up my server every 6-12 hours
I would say this is the most dangerous bedrock exploit, and for java it would be the chunk and the book ban
(For those who don’t know, the book ban (or whatever it is actually called) is where a player fills a shulker with written books, each filled with writting. The shulker is filled, then given to another player. This kicks them as it sends to many packets to the server, however they cannot rejoin. The only way they are able to rejoin is by there inventory being manually cleared or inventory accessed by a mod and the shulker being removed
It's actually easily avoidable.
Don't pick up weird shulker boxes from anarchy players.
common sense, literally as common as not typing your passwords in the chat.
Ah yes, BUGROCK Edition
That isn’t even a good pun anymore.
Will you ever cover Vintage Story servers? As far as I'm aware it does have a system of privately run, publicly available servers just like Minecraft, but there's virtually no information to sort through them all. Might be worth a look some time, considering its a fun game and Minecraft servers are in a rather sorry state.
As someone who used to be a admin on a realm i spent alot of time on, nuke/NBT's are so annoying, there was also a discord server that someone put a bunch of realms on a crash loop by just having its realm code(the owner gave up soon after becuase rerolling hlthe servet did nothing to fix it), crazy what trollers and griefers can do just to mess witj people
As a bedrock mod for lifeboat it’s very hard to counter these hacks so for now the only way to combat this is just by doing normal modding and player reports. As time goes on we are figuring how to combat this. The nukers have been pretty much figured out but arua kill and etc. is still a issue
no wonder why
lifeboat is p2w so i completely support all hackers
This brings me back yo the days of before mobile games started storing important data like paid in-game currency onto servers and it was super easy to modify currency and other stuff
Cheats are only more powerful on bedrock because the community hasn’t caught up with java’s anti-cheat. And I think java cheats are entering a new era. Clients are constantly testing the limits of anti-cheat so it’s an arms race.
i havnt played bedrock in about 2 years, and i used to love these servers. i need to check them out again and see all the hackers
as a bedrock player i must say: the intro gave me "average day on bedrock" vibes
Bigger servers do have an anticheat, but the problem is that Minecraft doesn't send packets for things that anticheat developers need
Right clicking detection isn't possible for example due to the client having a spam bug, which happens when the player is looking on a block, holds right click down and is moving his cursor a bit
And there are so many other things which bedrock messed up or just didn't implement what leads to the current situation with hackers being around everywhere
There's a reason why most people crap on Bedrock edition, and this is why. You shouldn't be able to do this just by editing your inventory on the client.
This moment when a Minecraft 1v1 turns into a DragonBall fight.
This is why I don’t play small servers anymore on bedrock, small servers have worse anticheats (most of the time) and that I only play on the bigger servers.
It happened to my friend's multi-player world. Not server, world. It's on bedrock ofc but he frequently makes backups so he can boot up a backup.
Minecraft Bedrock literally feels like the equivalent of the Ohio Memes at the moment.
idk if u know, but these couldve also been used on P2W realms and servers, we in NRIS have been using crash methods that we had linked to an auto crasher to crash the most P2W realms and servers for a month because mojang never took any action to them.
If your realm or server gets nuked, turn off command blocks with the settings then make a copy of the world, it worked with the version that happened to me
U have weird people to play with my guy
@qy9 had the world on friends of friends so I didn't know the guy and neither did my friend really lol, definitely put it on invite only when ever you create a world
I didn’t know it was possible to find peoples realm like that
realm codes has left the chat
Mojang has often made and often still makes weird decisions regarding servers, also on the development side of things.
Bedrock anarchy was decent but when cbe was discovered it went down hill
Tbh if this happens to ur realm all u got to do is load a back up from 10-20 minutes ago n it will go back to normal n ban the person that did it I had this happen 20times now and I beat them Everytime
once someone invited me to a realm i used tool box but all i did was spawn in some cameras and nether reactors i didnt feel like griefing cuz it was only up for 30 days and hasnt been up since so he never waisted money
wasted*
@@pumkin610 weestod
Not even bedrock players know what’s going on in bedrock
Because it's non existent in any server with more than 1000 players
Remember in the oldest versions of minecraft java edition where you could give yourself any item on a public server? yeah, this is basically the same thing happening here, but on the latest version of minecraft bedrock. The reason this happens is for the same reason it happened on java, it is because the inventory management code is client sided, meaning the client sends a packet to the server when their inventory changes. The server should be handling this code, but in bedrock, the client handles it. This means a malicious client (by malicious I mean a client which has something injected to it) could just send a fake packet that gives them whatever item they want. This doesn't sound too harmful? Well that would be the case, if only you couldn't manipulate NBT data of the inventory items when sending the packet. They way people get kits is by giving themselves a shulker box, and because they can manipulate the NBT data they can add whatever items they want to the shulker box they gave themselves with the exploit. The reason that people can execute console commands is because beehives, movingblocks and buckets of axolotls, with the proper nbt information supplied, can in-fact execute commands. So, these people just give themselves one of these with the malicious NBT data attached and use it to execute malicious commands on the server.
It’s about sending a message (Joker proving how bad bedrock is)
The mister epic: I am just showing you guys don’t actually do this.
The comments: “I know what I am going to do”
“Time to take out some pay 2 win servers”
“Wonder if this would work on my friends realm”
Nuking p2w servers is a very common practice it’s not a bad thing.
me waiting for horion to update so i can load the kits i made. (i dont mess around with nukers)
You're a fucking clown if you need to cheat in a block game made for kids
I can't imagine how such a thing like that can happen. When creating a client/server application, you NEVER EVER check the validity of an action on the client. You should never trust the client. Even if the code is not open source, eventually people will find the way to hack it. You should always save the inventory of the player on the server, it should not be possible that the client can modify their inventory. This was fixed in Java right after Multiplayer was released. Imagine you log into a website and it asks "Do you know the password?", you answer yes and it just lets you in, without checking whether you entered the correct password.
gotta say nuking a server in a child's game is the most saddest thing in the world lol
It’s not targeting it’s the simple act of trolling
Rule 1....like the first thing you SHOULD learn as a programmer when doing anything network related is the following phrase "NEVER TRUST THE CLIENT".
If anything, I seriously doubt the quality of Bedrock's internal code if the client is able to change the internal state of a server. This means potentially Bedrock servers don't do any server-side checks to ensure a client behaves as one would expect.
Honestly, this might sound bad but I hope the hackers don't stop so more people go to java addition.
Edit: I know many people don't have access to java. I thought about that. I was thinking it would get more people to research what java is. The ones who barely even knew about java what it is like. This is a stretch but it could even make Mojang want to make java cross platform. But that probably won't happen because Microsoft is greedy and wants in-game purchases.
If you think this is wrong LMK.
Fr
That's really shìtty to say tho
not everyone has a pc
@@lunar07 That version is literally a scam. People watch yt which is mostly about java edition, then they get confused why they can’t can’t join hypixel after begging there parents. It doesn’t matter if they don’t have a pc, they didn’t wanted to play that version in the first place.
@@qy9MC well not everyone is quite as knowledgeable as we are and so people will not realize they're getting the wrong product as they would assume that it would be the same as they see.
And how does not having a pc /=/ not wanting to play the version?
You could very well be aware that there are two versions but you cannot access java since you don't have a pc.
This is great, the more that new players suffer, the more they'll want to turn to Java
Also, crashing with 1 block isn't anything new, you can do it on Java if there are no Plugins stopping you and you have creative, the crazy part is the fact that the server just lets you make arbitrary nbt in survival on bedrock
Is it possible to use these bedrock clients on Java servers that are using Geyser? If so do all the same crazy exploits work with it?
No. Geyser converts bedrock packets into Java packets. But the server is still fully java
I remembered when toolbox worked on cubecraft so smoothly like I unlock nether in skyblock in a week, I could have done it in an hour but their admins were so much of tryhards
solution: play java instead
Never🗿
For a game named after the infamous unbreakable block of Bedrock, it sure seems to break easily.
Most passive aggressive "No pressure" I ever seen...
Biologist: we come across a bee nest and wait for the sun to show itself. as the first buzz of bee... wait what the heck is that? Oh no, is that the fabled command hornet? I've heard rumors about them and...
Command hornet: /kill @e[type=homo sapien]
Biologist: I've got a bad felling about this.
Humanity is now extinct.
Hey, old bedrock hacker here. I've stopped playing now but the situation is worse than you think. I used to play skyways and bedwars and I could pretty much just summon sharpness 32K swords and destroy everyone. Good times, and thanks for bringing attention to this
Such a useful video. Thank you so much. Had this happen on an anarchy server I ran and was baffled by the way the beehive was causing this to happen.
We love pople with the Bedrock > java mindset.
I remember a long time ago before they added commands to PE that there was an app called "PlugPE" or something that would put a fake player in your offline world and would allow you to use commands. I'm surprised that it even worked in the first place, and the fact that it probably still would work now...
great video, but there's two main points i want to make here:
1: the reason all of the NBT/item stuff is possible on bedrock is because the server is not "authoritative" of the inventory. the client player can literally say "yeah uhh i got 64 diamond blocks" and the server just agrees. this is actually fixed in newer versions of their server software and i have heard it's on some realms now, which is great.
2: there is no (moddable) dedicated server software for bedrock edition, so there is a lot of disconnect between the different featured servers and how they work. most server softwares are built entirely from the ground up, and the more janky servers (such as lifeboat) use old, slow community server software that is hard to develop on and immature in its development
point 2 is wrong. BDSX and LiteLoaderBDS are based on the vanilla BDS with modding support
@@mrdiamond64 you are correct, but they have not taken traction yet really for one reason or another. bdsx is relatively immature if I remember right, but I can't say for LiteLoaderBDS as I don't know
Oh wow, this is really interesting. Obviously I know this is almost always used for malicious reasons, but it's still pretty cool.
This video couldn't be timed better as the exploits have now just gone patched. Inventory data (including nbt data) is now managed by the server and not the client. This fixes gamemode exploit, .give command and those nbt loaders. Also They managed to break the client used in this video and now it crashes minecraft. This means that you can no longer just wipe servers (thank god). But the cheaters problem is still present but they at least have the same priviliges as java cheats. In case you wanted to try it out yourself (or even better patch it for your own server) you can use the ambrosial client and insert zypher in minecraft.
I remember when I played pocket edition i used an app called mcpemaster of the play store that basically gave me world edit and the ability to spawn in any item even some that seemingly didn’t exist even on other peoples worlds.
When you realize what Crashery is and that you don't even need to join the game let alone open Minecraft to crash a realm 💀
I'm so glad Mojang added chat reports instead of patching these, now you dont have to worry about being reported because you can't even play!
i got banned for making a bot to scrape the marketplace;
then i went and unbanned myself. very rude mojang
Wow, I don't know what is crazier, the fact that doing this is possible in vanilla servers or the fact that microsoft doesn't care about this and hasn't fixed this crazy exploit..
I guess I've technically coded some really annoying nukers, I once made this thing called THE INSURGENCE, and it summons a command block that summons a falling block every time it executes that a falling block exists, and that means every tick it doubles, within like 1 second your whole world has like 1024 entities already spawned lmao.
I used a Bedrock Client (Onyx) not for the Nuking or anything but to have something like the F3 Screen on my SSP as I tend to do Redstone and Farms and very much of a QoL thing (F3 Screen, On Screen Compass, On Screen Clock, Chunk Borders basically things found on Vanilla or Vanilla+ Java)
And before you ask I play both Java and Bedrock and I find it hard to go back to Java because I don't know mechanics there
1:18 Ok ok ok i kinda want to see what "DVDLogo" looks like
this reminds me of, when i was younger, i would play a skyblock server. but someone came over and gave me an item. it wasn't the same as this shit, but it crashed me, and made it unplayable to touch the server ever again
I still remember crashing many p2w bedrock servers with servercrasher working on almost everywhere
man i remember having a 32k collection and my own dupe method in mineplex survival on my old xbox, so crazy
The problem is, it's like criminals and police. The police are always one step behind because they don't know what the criminal is going to invent next. Servers can't patch cheats that they don't know about, and when they do, the hackers invent a work around, meaning there is always going to be cheating... I would go back after a few months and see if they have caught up with hackers or not..
The funny thing is all those Mineplex hackers are so bad at hacking that I win every game even with 2 hackers at once
Honestly, this really should be on Mojang to fix. They need to implement code in Minecraft that protects the validity of the client code to prevent DLL hijacking attacks like this. Potentially also updating the server code to request a set of hashes for the client libraries to validate against that server's accepted versions.
It wouldn't even be all that hard...
8:13 - (in Demoman's voice): *THERE CAN BE ONLY ONE!*
As a former bedrock realm moderator, I remembered how annoying it was to take ppls 32k, and my freind made a way to clear those certain stuff useing commands. You can see why I don’t play anymore
They fixed all the issues mentioned in the video months ago....
I guess it’s a good thing I never felt like playing Bedrock multiplayer. I rarely even play Java in multiplayer, but Bedrock just seemed like it’d be tricky with mobile controls.
I dont have much experience with multiplayer (i made 3 multiplayer games, 2 unfinished) and have 0 experience with Minecraft hacking
I think the problem is being able to modify your inventory on your client instead of it being changed only by the server
Imagine playing on a server and then suddenly the real TheMisterEpic starts killing you with hacks
The brainrot is somewhat funny, though, imagine knowing you will completely ruin someone's survival experience, and then expecting them to support your youtube channel and discord server.
This reminds me of some old school halo combat evolved hacks. We used to use console commands to spawn modified guns and as soon as someone without the hack picked up the gun, it would crash the server
TheMisterEpic: Bedrock > Java
TheMisterEpic few years later:
FINALLY someone spoke up about this! Its such a big problem when some random bozo can just join my casual survival world and destroy it in seconds! This needs to get fixed.