Bungee - Spigot UUIDSpoof - Fix 4.1

Fix the UUID Spoofing with this plugin!

  1. zPirroZ3007 submitted a new resource:

    UUIDSpoof - Fix - With this plugin you will block the UUID Spoof client!

    Read more about this resource...
  2. A few points to note.
    • This is strictly for offline mode servers and WILL NOT protect against IPForwarding spoofs. It'd be worth mentioning that in the top of the thread. (Not sure if that's its intentions I'm not too familliar with offline servers).
    • If the api goes down or hits the Mojang request limit for whatever reason, things will break, and that leads me on to my next point..
    • (Minor) UUID checking is done in the main thread onJoin, ideally one of the LoginEvents should be used, since they're async IIRC.
      • Can either allow everyone, or denys everyone.. Depending on request timeout vs minecraft timeout.
    • (Minor) OfflineMode UUID checks don't require mojang confirmation/any http requests.
    #2 _Cory_, Aug 5, 2016
    Last edited: Aug 5, 2016
  3. Can you add an in game reload command? :)
  4. [16:16:31] [Server thread/WARN]: [LagMonitor] Server is performing a blocking socket connection on the main thread

    Should I remove LagMonitor?
    • Funny Funny x 1
  6. it works in paperspigot 1.7.10?
  7. Spigot 1.7.x/1.8.8
  8. I would like to make an api with UUID?

    UUID-fix not to crash the server by constant check on HTTP?
  9. Are you fucking stupid or just dumb you just leaked peoples ips...
    1. ... 14 more
    2. [14:26:47] [Server thread/INFO]: yScoopeyBDF[/] logged in with entity id 2115 at ([lobby] -275.45401690144143, 34.0, -613.0379780797986)
    3. [14:26:51] [Server thread/INFO]: zDaNnPvP[/] logged in with entity id 2116 at ([lobby] -275.45401690144143, 34.0, -613.0379780797986)
  10. This make lag on my server and spam this error.Pls help me!

    [16:24:38] [Server thread/ERROR]: Could not pass event PlayerJoinEvent to UUIDSpoofFix v1.2
    at org.bukkit.plugin.java.JavaPluginLoader$1.execute(JavaPluginLoader.java:310) ~[server.jar:git-Spigot-5f38d38-18fbb24]
    at org.bukkit.plugin.RegisteredListener.callEvent(RegisteredListener.java:62) ~[server.jar:git-Spigot-5f38d38-18fbb24]
    at org.bukkit.plugin.SimplePluginManager.fireEvent(SimplePluginManager.java:502) [server.jar:git-Spigot-5f38d38-18fbb24]
    at org.bukkit.plugin.SimplePluginManager.callEvent(SimplePluginManager.java:487) [server.jar:git-Spigot-5f38d38-18fbb24]
    at net.minecraft.server.v1_8_R3.PlayerList.onPlayerJoin(PlayerList.java:298) [server.jar:git-Spigot-5f38d38-18fbb24]
    at net.minecraft.server.v1_8_R3.PlayerList.a(PlayerList.java:157) [server.jar:git-Spigot-5f38d38-18fbb24]
    at net.minecraft.server.v1_8_R3.LoginListener.b(LoginListener.java:144) [server.jar:git-Spigot-5f38d38-18fbb24]
    at net.minecraft.server.v1_8_R3.LoginListener.c(LoginListener.java:54) [server.jar:git-Spigot-5f38d38-18fbb24]
    at net.minecraft.server.v1_8_R3.NetworkManager.a(NetworkManager.java:231) [server.jar:git-Spigot-5f38d38-18fbb24]
    at net.minecraft.server.v1_8_R3.ServerConnection.c(ServerConnection.java:148) [server.jar:git-Spigot-5f38d38-18fbb24]
    at net.minecraft.server.v1_8_R3.MinecraftServer.B(MinecraftServer.java:814) [server.jar:git-Spigot-5f38d38-18fbb24]
    at net.minecraft.server.v1_8_R3.DedicatedServer.B(DedicatedServer.java:374) [server.jar:git-Spigot-5f38d38-18fbb24]
    at net.minecraft.server.v1_8_R3.MinecraftServer.A(MinecraftServer.java:654) [server.jar:git-Spigot-5f38d38-18fbb24]
    at net.minecraft.server.v1_8_R3.MinecraftServer.run(MinecraftServer.java:557) [server.jar:git-Spigot-5f38d38-18fbb24]
    at java.lang.Thread.run(Thread.java:745) [?:1.8.0_91]
    Caused by: java.lang.NullPointerException
    at me.zpirroz.uuidfix.Main.onJoin(Main.java:95) ~[?:?]
    at sun.reflect.GeneratedMethodAccessor174.invoke(Unknown Source) ~[?:?]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_91]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_91]
    at org.bukkit.plugin.java.JavaPluginLoader$1.execute(JavaPluginLoader.java:306) ~[server.jar:git-Spigot-5f38d38-18fbb24]
    ... 14 more
  11. Hi @PurpleFishh !

    Are you sure that the api (http://uuidfix.altervista.org/api.php?mode=<mode>&name=<name>) Is not blocked by your server firewall, or your hosting? :)

    Anyway, next week will be released a version in which will be removed the external API check, maybe will be used the Mojang API, or a self-coded Java API.

    Kind Regards,
    - Pirro
    • Like Like x 1
  12. zPirroZ3007 updated UUIDSpoof - Fix with a new update entry:

    A big update!

    Read the rest of this update entry...
  13. Uhm i somehow don't get it...

    You want to protect offline mode servers by making sure, that the UUID matches the online UUID for each player?

    But the UUID on offline mode servers does NOT match the online UUID! On offline mode servers the UUID is a hash of the playername string.
    Only when some kind of online-UUID fetcher is running, the UUID will be changed to the online UUID after the first login of a new player.

    This only seems to make sense for offline mode servers with running online UUID fetchers, am i right?
    By default it will kick all people because the offline UUID doesn't mach to the online UUID.

    This leads to my next question: Does this plugin support offline mode UUIDs? E.g. a config setting if the plugin should compare with online or offline UUIDs.

    Furthermore all offline-mode servers (at least all offline-mode servers i know) use any kind of ingame authentification (e.g. /login command). Once such a login plugin protects the server, all your UUID stuff is unneccessary, too?

    Maybe... i guess the only case when your plugin REALLY is needed, when a server uses a online mode UUID fetcher, but a name based (not UUID based) ingame authentification. This is very unlikely.

    You should at least add an offline-mode UUID support.
    #18 Michel_0, Dec 28, 2016
    Last edited: Dec 28, 2016
  14. Hi @Michel_0 ! A question, have you tried the plugin?

    This plugins makes sure that the UUID maches the OFFLINE UUID for each player on OFFLINE Servers, this plugin supports only offline UUIDs, on offline servers. On online-mode servers, the exploit does not work.

    For the authentication on offline servers, when a UUID is spoofed, you can create any account, with any nick, but with the UUID of any player/operator, because AuthMe (or any plugin of authentication out there) works with the nick.

    Kind Regards,
    - Pirro
  15. Thanks for your fast reply.
    Nope, not yet.

    So this point is irrelevant, because you're not using the Mojang web API to get the UUID?

    I just thought it was the other way round. There has been a exploit to spoof UUIDs on online mode: https://www.sk89q.com/2011/09/minecraft-name-spoofing-exploit/. I don't know if this online-mode exploit is fixed yet. If not, you should add online-mode support.

    I didn't check authme yet, but im pretty sure since 1.8 the major amount of authentification plugins uses UUIDs.

    However, now some things where more clear about it. But i still got some questions left:
    • When someone uses an UUID fetcher to use online-mode UUIDs on a offline-mode server (i'm pretty sure a properly set up bungeecord network already supports this), then your plugin can't be used?
    • Do you know if the online-mode UUID spoofing exploit i mentioned above has been fixed yet?
    • Since there is only one packet (http://wiki.vg/Protocol#Login_Start) to set the client name, how is it even possible to change the UUID on offline-mode?