[MC-277749] Security Issue: can connect to a server twice for remote access to other players mojang bug

Double Join // Shadow Player Glitch (aka Wormhole)

Setup:

Make a singleplayer world

Open it to LAN

Use ngrok to port-forward it (ngrok makes it consistent, but certain plugins work too. Without ngrok or plugins, it's SUPER hard)

Use a 2nd minecraft account to spam-join
-> Double-join on a server. You can leave and the shadow player will stay

Use Essentials Mod
Invite yourself to join a specific server
Join another server and then accept the invite mid-join
-> Join 2 servers at the same time. No doublejoin, but works on every server
(Essentials Setup found by srnyx)

Try to join hypixel (Other servers might work too), immediately click cancel

Quickly join another server or singleplayer world

-> Join 2 servers at the same time

Effects:

If there's a chest at XYZ on the shadow player's server AND on the real player's server, opening the shadow player's server's chest will client side open the chest on the real player's server. This works with: Chest, Trapped Chest, Ender Chest, Note Block, Piston, Sticky Piston, Beacon , Mob Spawner , End Gateway , Shulker Box. The blocks at XYZ don't need to be the same. For example, opening a CHEST at XYZ on server 1 will also activate the piston at XYZ on server 2
You hear everything the shadow player hears, even if you're on the title screen (Ingame sounds + /playsound)
You see every particle the shadow player sees (Too many can crash the game)
Change gamemodes (Spectatormode in survival, real adventure mode but you can still place blocks by punching, creative mode with flight + ghost items from the inventory. Can't sneak clientside in spectator, but serverside. When not sneaking clientside, you can fall off edges)
Give Ghost Items (Ghost items turn real in creative mode though)
Chat Messages incl. Tellraw
Title / Subtitle / Actionbar
Teleport (Max range roughly 10 blocks (Only in multiplayer servers)? Path must be unobstructed, unless you're in server side creative mode). You can teleport through blocks vertically as long as the final position is not inside a block. Maybe range depends on speed[ https://www.youtube.com/watch?v=Gi2PPBCEHuM|https://www.youtube.com/watch?v=Gi2PPBCEHuM]
Set XP (Client Side)
Damage him (Hurt animation + Update hearts by showing the shadow player's hearts until the real player's hearts update) (Client Side)
Make an explosion (Blocks will disappear client side, and it will give the explosion momentum. But if you walk into the hole, you'll snap back because there's actually blocks there still)
Render a different server onto your screen (Including that server's entities like players. Also including scoreboards, teams, tablist . Probably more consistent when you're in creative mode. Use /execute as PLAYER at @s in minecraft:DIMENSION run tp @s ~ ~ ~ (Once the server stops, you will stay there, but the AI stops and once you leave, it softlocks, as it can't save the world))
Bossbar
Force-teleport to another server (Example Hypixel and /p warp)
Advancements + Recipes (Custom ones too)
Carpet mod (on the server):
Change Hotbar Slot
Open GUIs (Chests, anvil, signs, BOOKS require a book item in the mainhand, use lecterns instead). Book GUIs with clickevents are possible, the commands will run on the server the real player is on (With his perms. No Force-OP, unless the person performed the glitch and you use a ghost-item book or a lectern)

If the shadow player has a GUI open and you close it (For example by breaking the block he's opened), the real player's menus will also close. However, this is only client-side. Meaning if you open a chest on the main server, then close the GUI client-side, the chest stays open until you walk away. With this, you can put 5 items in your inventory's crafting grid + cursor without losing them[ https://twitter.com/SilicatYT/status/1593678617522864131|https://twitter.com/SilicatYT/status/1593678617522864131]. If you open a real chest GUI, then open a fake chest GUI WHILE having the other one still open, closing the fake one will close the real one as well. While having a GUI open server-side, closing any real GUIs like your inventory will close that other GUI as well -> Remote shulker box closing. While having a chest open server-side, new items that you receive don't update your inventory, so it will look empty //[ https://twitter.com/SilicatYT/status/1593685145873047552|https://twitter.com/SilicatYT/status/1593685145873047552] Opening chests without animation or sound -> Avoid sculk sensor SERVER