[BUG] PingBypass account vulnerability

[Ai2473]

FIX ASAP BECAUSE AN IP LEAK COULD GET TO COORDS LEAK AND ... ??

Describe the bug
If you try to connect to a pingbypass server (account1) and you have an other account on the client (account2) you will be able to use the server account

To Reproduce
Steps to reproduce the behavior:

1. Login with an account on the pingbypass server and launch the server
2. Login with an other account on the minecraft client
3. Connect to the pingbypass
4. You end up using the account on the server

Expected behavior
You can't connect to the pingbypass or at least to MC servers

Describe the solution you'd like
-Maybe a password? (I think it would not be a so good fix)
-Unable to connect to the pingbypass server (This would not be good because people can use this pingbypass bug to quickly use alts)
-Add the option to use this but the setting is disabled by default (good solution, but then add password(?))

Should be fixed in some way on the client too (maybe just ask if the server is updated and notify about the vulnerability)

Checklist

• I know how to properly use check boxes.
• I have included logs, screenshots, exceptions and / or steps to reproduce the issue.
• I followed the issue template.

[cattyngmd]

You can set a password on your pingbypass server

[Ai2473]

It should be a default requirement, because it's not safe like this rn

[3arthqu4ke]

Same account on server and client is difficult to impossible, Minecraft will say that you logged in from another location afaik.

Making passwords mandatory sounds like a good idea.

[Ai2473]

no wait, ik you can't login in the same server from 2 locations at the same time, the problem is:
-To use MC you need an account (have a username, so can be cracked or premium) just to open the game
-By connecting to the server (with any account in the client) you use the account in the server.

example
You are the owner of a server
I'm connected to your server with pingbypass (this is your server, so you know my ip)
You can find the port where is my pingbypass
You can connect to my pingbypass (you are using the account on the pingbypass server)
You now have access on my account
--I hope you understand this

Btw add a mandatory password is good, but add just a simple check for the server that the account on the client is the same and it is premium seems simpler, because you can make this check as default, but you can remove it from a setting it you need

[3arthqu4ke]

No, I get you, but I thought when you log into your Minecraft account on another PC your session becomes invalid?

[Ai2473]

I have the same account on 3 PCs and I can play with they at the same time (just not the same server), btw this is not the thing I'm talking about, if you can send me a dm Ai_2473#7275 and I quickly show you what I mean

[Ai2473]

1.8.0!!

thx for 3arthh4ck btw ❤️

[3arthqu4ke]

Hmm, password is now mandatory, I will think about some other ways to improve security. Using the same account sounds good, but I will need to look into the auth stuff for that. Another thing I thought about would be a Hmc-Specifics plugin that prompts you when someone is about to connect to server and you have to confirm it in the server console.