I am the admin on a server, and a new person came on the server for the first time. He asked for a book to "write a story". We gave him the book and he gave it to the owner. The owner opened up the book and it De-Opped him and op-ped the player. The player then went around and World-Edited removing many things. Does anyone know how to prevent this, or what actually happened?
PS: The owner, in his anger deleted the book before actually looking at what the book did…
Best Answer
Up until very recently, there's been a bug in Minecraft that allows any client to change the NBT data of an item in its inventory. A player by the name of Ammar discovered this 2 years ago and reported it to Mojang confidentially. After repeatedly contacting them about it and getting little response, Ammar recently decided to release details of the exploit publicly. This finally forced Mojang to fix it and release an emergency 1.8.4, but older servers are still vulnerable.
Books, using the JSON format, can have "ClickEvents" and "HoverEvents" on certain pieces of text that cause it to run a command. This can usually not be created by a normal player. Also, due to another bug, these commands bypass the restrictions placed on command blocks such as not being able to use
/op.What's likely happened here is that the player has asked for a book, and then changed it's NBT data to give it hover event commands that give the player OP.
You should be able to protect against this exploit by upgrading your server to 1.8.4.