Mojira Archive
WEB-1464

Minecraft name registration exploit

Hello! As developer(s) of minecraft.net/mojang, you are probably aware of bots being used to "snipe"/take minecraft usernames. I am here to report the preferred method of these bots. They exploit a mistake, or a very weird function in your system in order to block a username from being taken by anyone else for 24 hours until their owner claims it. How do they do it? First I'll explain how to block a name on a smaller scale that is easy to reproduce.

Step 1. Go to minecraft.net and begin to register a new account. Enter your email and password.

Step 2. During the billing phase of registering, enter any username that is not currently taken by someone.

Step 3. Still during the billing phase, select "Gift card" and enter a non-existent giftcard number (any number, just make one up).

Step 4. Continue to the next page. It will not bring you to the next page, however, it will display a loading gif and effectively block that username you typed in from being taken by ANYONE besides this non-premium account you made to block the name with.

Step 5. You have a period of 24 hours to claim this name on the account that you blocked it with. The first time you attempt to claim the username it will unblock it so anyone can take it, the second time you attempt to claim the name you will get it. However, YOU are the one who decides when it gets unblocked and can take advantage of this to do it at a random time within 24 hours so realistically you will be the one getting the username.

 

So how do they use this to their advantage to take usernames? They create tens of thousands of non-premium minecraft accounts and when a username they want is almost ready to become available they spam these fake giftcard code requests with the desired username. One of their thousands of accounts will ultimately get it, they scrape through all of the accounts, and then once they find which account successfully blocked it they will log into that account at a random time, and quickly unblock and take the name on a desired account (can be a different account from the one they blocked it with).

 

Now.. This is either a coding error, or an intentional design from many years ago even before name changes were possible. Nonetheless please fix this outdated/flawed code. Thanks so much for reading 

Fixed

Joseph Vitale

[Mojang] Web Team

2019-10-12, 04:55 AM

2023-10-13, 06:38 PM

2023-10-13, 06:38 PM

0

3

607282