MC-207803Security Issue: Can connect to a server twice for remote access to other players
You can connect to a server twice at the same time by either:
1) Have the direct connect cancel button overlayed with the direct connect button, then enter an IP of a private server and spam enter and leftclick.
2) Add a private server twice to your server list. Select one and hover over the other one, then leftclick and press enter at the same time.
3) Have internet connection issues and try to join multiple times.
Once this has happened, you have 2 players with the same name on the server. When the person performing the glitch leaves or gets kicked, the fake player will stay in the private server. If that person now joins a server or a singleplayer world, it can be influenced by the fake player. Like, that person will see chat messages visible on the private server, even if they are not on the same server. Or The person could be teleported around and get banned from almost any multiplayer server or griefed on their own singleplayer world. I made a video explaining everything in detail: https://www.youtube.com/watch?v=JC_av-MsZk0
This can potentially be automated with plugins, which people could use to mass-ban people, crash people's clients, get OP with clickevent books etc.
EDIT: This glitch works from versions 1.8 - 1.20 snapshots. And by giving the fake player on your private server an item while the real player is on a server or a singleplayer world, they get that item too if they are in creative mode. When you have a client-side mod like carpetmod on the localhost server the duplicate player is on, you can use the "/player" command to change the real player's hotbar, open any GUI and more, regardless of whether or not the real player is on a server or in a singleplayer world. Opening a GUI like a chest repeatedly can softlock the player so that he has to restart the game, while opening a book or a lectern can open a book with clickevents, so that when changing a page or clicking the text, the player either says something, opens an internet website or runs a command (e.g: /op PLAYERNAME).
