2
Hi gang!
I have a Surface Pro X (love that critter!) but due to the ARM architecture I can't run many games on there, Java is also a huge issue but... the Minecraft app runs like a charm and even though I'll take Java over Bedrock any day of the week (just being honest here) I'll also be the first to share that the Bedrock edition is definitely a very fun and solid addition to the Minecraft universe as well. I'm actually very deeply hooked into a survival game and... yeah, it's cool.
Anyway, when I'm messing around with something new I try to learn more about it and I recently learned of a way to: "Connect to a Java server using the Bedrock edition".
Yah... stupid YouTubers.... please be very careful before you bother with this idiocy, because it could easily get your account stolen & abused.
See, the thing is that you can't use your Bedrock client to connect to a Java server, it doesn't work like that. However.... people have set up so called "proxies" where you use your Bedrock client to connect to "a bedrock server" after which that so called proxy server will connect to the Java server on your behalf and "translate" all the data and sent it back to your client.
The "only" thing you need to do is ... I kid you not: please provide your Java username & password so that this will work. And it pains me to see several clueless YouTubers actually demonstrating and promoting this! (from my POV most of them are either totally clueless or driven by attracting views). Why it pains me? Shouldn't that be obvious by now?
See: you're basically giving your account credentials away to a random server expecting to be connected to a Java server but at the same time HOPING they're not going to store your account data and use that for their own purposes. Yah, it pains me even more to see tons of comments below said YouTube videos thanking the idiot that they showed the viewers a new way to give away your Mojang account!!
What. The. .... <censored>?!!!!
As such my comment... please be careful here. Do NOT blindly trust others to keep your account safe, you're NOT connecting to a Java server one on one, you're actually giving your account data away to others while hoping that nothing bad will come from it. Don't go there!
https://www.youtube.com/watch?v=k8ySVcNsRoI
Here's another one of those YouTube idiots: 4:45 "just" log in with your Java account.... 🙄 and don't bother thinking about who will now gain access to said account as well. 🤦♂️
This is NOT safe. Hence me calling them out as idiots. Because you're really giving away access to your account.
Stay safe out there people! Don't give your account away just like that!
I have a Surface Pro X (love that critter!) but due to the ARM architecture I can't run many games on there, Java is also a huge issue but... the Minecraft app runs like a charm and even though I'll take Java over Bedrock any day of the week (just being honest here) I'll also be the first to share that the Bedrock edition is definitely a very fun and solid addition to the Minecraft universe as well. I'm actually very deeply hooked into a survival game and... yeah, it's cool.
Anyway, when I'm messing around with something new I try to learn more about it and I recently learned of a way to: "Connect to a Java server using the Bedrock edition".
Yah... stupid YouTubers.... please be very careful before you bother with this idiocy, because it could easily get your account stolen & abused.
See, the thing is that you can't use your Bedrock client to connect to a Java server, it doesn't work like that. However.... people have set up so called "proxies" where you use your Bedrock client to connect to "a bedrock server" after which that so called proxy server will connect to the Java server on your behalf and "translate" all the data and sent it back to your client.
The "only" thing you need to do is ... I kid you not: please provide your Java username & password so that this will work. And it pains me to see several clueless YouTubers actually demonstrating and promoting this! (from my POV most of them are either totally clueless or driven by attracting views). Why it pains me? Shouldn't that be obvious by now?
See: you're basically giving your account credentials away to a random server expecting to be connected to a Java server but at the same time HOPING they're not going to store your account data and use that for their own purposes. Yah, it pains me even more to see tons of comments below said YouTube videos thanking the idiot that they showed the viewers a new way to give away your Mojang account!!
What. The. .... <censored>?!!!!
As such my comment... please be careful here. Do NOT blindly trust others to keep your account safe, you're NOT connecting to a Java server one on one, you're actually giving your account data away to others while hoping that nothing bad will come from it. Don't go there!
https://www.youtube.com/watch?v=k8ySVcNsRoI
Here's another one of those YouTube idiots: 4:45 "just" log in with your Java account.... 🙄 and don't bother thinking about who will now gain access to said account as well. 🤦♂️
This is NOT safe. Hence me calling them out as idiots. Because you're really giving away access to your account.
Stay safe out there people! Don't give your account away just like that!
Create an account or sign in to comment.
26
bro that's not how it works lmao. How do you think connecting to servers works on Java? Your account needs to be authenticated, which is why you can't join Hypixel from a cracked account, and to authenticate your account, you need to send your username and password to Mojang, then Mojang sends a packet to the server that the account is authenticated and lets you join the server. All you're doing is providing your credentials to Mojang lmao
Thanks for the warning. Being asked to put in my account and PW on some third party server would definitely raise red flags for me. It's just too easy to fall prey to scams and phishing these days.
Read other comments, too. OP doesn't have enough experience to be coaching people about their account safety.
Well.... I dunno what to say.... because it's kinda obvious people don't even bother to think this through. Either that or the educational system really hit rock bottom.
Fair warning: https://steamcommunity.com/discussions/forum/0/3283699172756933269/
That's how you may end up as... blaming the system because you refuse to acknowledge the obvious.
I'm also a rather devoted Steam user and you can see comments like that on a daily basis: "I got an invite from a trustworthy friend to vote on a website, I logged on and now all my stuff is gone. Steam is INSECURE". Yah, let's all ignore the fact that by entering your account name + password (+ optional extra credentials) onto a site that isn't Steam => you're giving your account away.
This is the exact. same. thing.
Alas. I tried :P
Fair warning: https://steamcommunity.com/discussions/forum/0/3283699172756933269/
That's how you may end up as... blaming the system because you refuse to acknowledge the obvious.
I'm also a rather devoted Steam user and you can see comments like that on a daily basis: "I got an invite from a trustworthy friend to vote on a website, I logged on and now all my stuff is gone. Steam is INSECURE". Yah, let's all ignore the fact that by entering your account name + password (+ optional extra credentials) onto a site that isn't Steam => you're giving your account away.
This is the exact. same. thing.
Alas. I tried :P
The local geyser client isn't a "site". It's a local client that translates your packets from bedrock to java. The only services it talks to are the Mojang auth servers, and the java server you log in to.
You claim that we're "ignorant", but dude, you need to look inside. You're clearly in over your head. There's no shame in admitting that you had no idea what you were talking about, and moving on.
You claim that we're "ignorant", but dude, you need to look inside. You're clearly in over your head. There's no shame in admitting that you had no idea what you were talking about, and moving on.
Any geyser server owner with a brain in their head will install floodgate as well, eliminating the need of a java account.
Not sure why this functionality isn't built into geysermc (what's the point in bedrock support if you require java to do so? That's just dumb.) Also unsure why many tutorials (such as Antvenom's) don't mention this point. The vast majority of geyser servers run floodgate. The ones that don't are usually ran by cracked servers, which suprises me that people are dumb enough to run those given how stupidly easy it is to hack into those.
(Seriously people, NEVER run a cracked server)
Not sure why this functionality isn't built into geysermc (what's the point in bedrock support if you require java to do so? That's just dumb.) Also unsure why many tutorials (such as Antvenom's) don't mention this point. The vast majority of geyser servers run floodgate. The ones that don't are usually ran by cracked servers, which suprises me that people are dumb enough to run those given how stupidly easy it is to hack into those.
(Seriously people, NEVER run a cracked server)
Some servers use geysermc, and those work fine without selling account data. You can install geyser on your bedrock account, but I don't know how. supposedly you can connect to any java server, but you may experience issues if you aren't on java. Some servers will ban you just for joining with Geyser installed.
Sure, because no one will ever change the code, promote to be using Geyser and... no harm done?
The moment you enter your account name and password onto something outside of Mojang you're giving your credentials away. It doesn't matter how they package it, it all boils down to you giving your account away hoping that the other party doesn't abuse it.
If you ever wonder why scamming and phising is such a huge issue.... I'd say this is solid proof as to why.
The moment you enter your account name and password onto something outside of Mojang you're giving your credentials away. It doesn't matter how they package it, it all boils down to you giving your account away hoping that the other party doesn't abuse it.
If you ever wonder why scamming and phising is such a huge issue.... I'd say this is solid proof as to why.
Did you get your account stolen? The internet is a rough place, you have to watch your own back for the most part. Also, GeyserMC is pretty trustworthy. If you get it from their site, there will be no malware or anything. They don't want to sell your account, and if they did, no one would use Geyser.
Nah, but I am passionate about computer security because it's both a bit of a passion and my work.
This is me trying to help people avoid the obvious but... it has become obvious to me that this is a lost battle. When people easily claim that a proxy server is the same thing as the actual server "because" then yah..... ignorance rules.
Can't say I didn't try.
Then again I'm also not too surprised either, plenty of people on Steam got hit with the facts and still refused to believe because... Obviously "$famous_moron" can't be wrong because they're famous. And that ignorance hits harder on gaming platforms I guess.
I mean... it's only been a few years ago since plenty people people believed that this dude was a stock market genius:
https://en.wikipedia.org/wiki/Bernie_Madoff
Or what about Theranos:
https://en.wikipedia.org/wiki/Theranos
In case you're wondering how those last links are relevant: simple: because despite people like me telling others "this is BAD" with plenty of factual knowledge backing up the claims people still deemed it necessary to wave it all away because OBVIOUSLY Madoff was a marketing genious and OBVIOUSLY Therenos HAD to be real considering their high profile board of staff.
And we all know how that ended up.... in hindsight.
No, a proxy server cannot relay your account info without actually keeping it in store itself. Either in memory or by saving the info on disc.
But ey.... I did my part. There's no fighting ignorance.
This is me trying to help people avoid the obvious but... it has become obvious to me that this is a lost battle. When people easily claim that a proxy server is the same thing as the actual server "because" then yah..... ignorance rules.
Can't say I didn't try.
Then again I'm also not too surprised either, plenty of people on Steam got hit with the facts and still refused to believe because... Obviously "$famous_moron" can't be wrong because they're famous. And that ignorance hits harder on gaming platforms I guess.
I mean... it's only been a few years ago since plenty people people believed that this dude was a stock market genius:
https://en.wikipedia.org/wiki/Bernie_Madoff
Or what about Theranos:
https://en.wikipedia.org/wiki/Theranos
In case you're wondering how those last links are relevant: simple: because despite people like me telling others "this is BAD" with plenty of factual knowledge backing up the claims people still deemed it necessary to wave it all away because OBVIOUSLY Madoff was a marketing genious and OBVIOUSLY Therenos HAD to be real considering their high profile board of staff.
And we all know how that ended up.... in hindsight.
No, a proxy server cannot relay your account info without actually keeping it in store itself. Either in memory or by saving the info on disc.
But ey.... I did my part. There's no fighting ignorance.
THE PROXY SERVER DOES NOT STORE YOUR INFO. For crying out loud.
It sends the info you type to Mojang's auth, and gets the auth token back. The auth token is then used to auth into servers to play on.
ffs, kid.
It sends the info you type to Mojang's auth, and gets the auth token back. The auth token is then used to auth into servers to play on.
ffs, kid.
You are right, there is no fighting ignorance. Multiple people explained that GeyserMC works very different than what you claim.
If someone "pretends" to be geyser and steals your credentials, you screwed up. It's pretty clear that you're using the geyser client or the geyser plugin, when setting things up.
If you screw up bad enough to send your creds to some 3rd party phishing app, you should just not use the internet at all. Let's be honest.
If you screw up bad enough to send your creds to some 3rd party phishing app, you should just not use the internet at all. Let's be honest.
Please explain to us how you can make sure? ;) I mean, it's easy to make unfounded claims.
Second....
Why even assume that geyser is beyond flaw in the first place? I guess no one at geyser can be bad because... reasons?
The whole volunteered website site cannot be overrun because fame?
Oh, I know: it's open source so it CANNOT be bad.
Yet at the same time sites like "two... something" now easily advertise with a guarantee of providing hundreds of accounts.
Fact of the matter is that as soon as you enter your account + password on ANY site that isn't Mojang and/or Microsoft you're taking a risk.
What's your stake into all this? ;)
Second....
Why even assume that geyser is beyond flaw in the first place? I guess no one at geyser can be bad because... reasons?
The whole volunteered website site cannot be overrun because fame?
Oh, I know: it's open source so it CANNOT be bad.
Yet at the same time sites like "two... something" now easily advertise with a guarantee of providing hundreds of accounts.
Fact of the matter is that as soon as you enter your account + password on ANY site that isn't Mojang and/or Microsoft you're taking a risk.
What's your stake into all this? ;)
So now you're just blatantly talking shit about security risks with Geyser.
Also, again, you're not entering your info on a site. You're typing it into a local client, THROUGH bedrock.
You're a fool. Stop typing.
Also, again, you're not entering your info on a site. You're typing it into a local client, THROUGH bedrock.
You're a fool. Stop typing.
Yeah, I'm not sure what tangent you're going off on, but I've only ever heard of a geyser server which doesn't require any extra creds. Maybe there's some site out there or something, pretending to be a geyser knockoff?
Unsure, haven't heard of it. I play Java, like an adult.
Also, AntVenom would literally never promote a scam. I don't even watch the dude, but he's way too big to be promoting scams that'll get your accounts locked up. Those credentials are being gathered locally anyway, and are being sent to the Java server as a normal login request. So I don't think you have any idea what you're talking about.
Unsure, haven't heard of it. I play Java, like an adult.
Also, AntVenom would literally never promote a scam. I don't even watch the dude, but he's way too big to be promoting scams that'll get your accounts locked up. Those credentials are being gathered locally anyway, and are being sent to the Java server as a normal login request. So I don't think you have any idea what you're talking about.
geyser by default requires you to put in java credentials to play, however the same people who make geyser made a plugin called floodgate, which creates UUIDs for bedrock players so they can play without a java account.
Almost every geyser server has floodgate, that ones that don't are likely cracked servers, which it surprises me that people are stupid enough to run those, or even join them, but that's a whole other topic.
Almost every geyser server has floodgate, that ones that don't are likely cracked servers, which it surprises me that people are stupid enough to run those, or even join them, but that's a whole other topic.
"Also, AntVenom would literally never promote a scam."
Maybe not knowingly, but their own video makes it quite clear that they have no issues with promoting a potential risk. Because that is what it is: the moment you go ahead and put in your account name & password onto a site that isn't Mojang itself then ... you're giving your account info away. Plain & simple.
And yah, AntVenom is advertising it. As such my comments about: that is beyond stupid.
Maybe not knowingly, but their own video makes it quite clear that they have no issues with promoting a potential risk. Because that is what it is: the moment you go ahead and put in your account name & password onto a site that isn't Mojang itself then ... you're giving your account info away. Plain & simple.
And yah, AntVenom is advertising it. As such my comments about: that is beyond stupid.
You're wrong, though. Which is fine. It's just a lack of understanding.
Email names and passwords are not sent to a server when you log in. That, in and of itself, would be a vulnerability to every multiplayer server ever. They're sent to Mojang's auth server, which then gives you an auth key/token, and THAT is sent to the server for the login.
The email and password that you enter is being translated and handled by the app, which sends these packets to Mojang, not to the server. Only the response from authserver.mojang.com (or modern day equivalent) is being sent to the server.
"Maybe not knowingly, but their own video makes it quite clear that they have no issues with promoting a potential risk."
There are no risks in transmitting the auth key/token. You don't understand how it works. I doubt AntVenom does either, but as described in his video, there are no security risks that exceed a simple java client to java server login.
Read this, and read the wiki on Yggdrasil, and maybe consider removing this post to avoid spreading misinformation.
www.reddit.com/r/admincraft/comments/2ajrm2/how_joining_a_server_works/
Email names and passwords are not sent to a server when you log in. That, in and of itself, would be a vulnerability to every multiplayer server ever. They're sent to Mojang's auth server, which then gives you an auth key/token, and THAT is sent to the server for the login.
The email and password that you enter is being translated and handled by the app, which sends these packets to Mojang, not to the server. Only the response from authserver.mojang.com (or modern day equivalent) is being sent to the server.
"Maybe not knowingly, but their own video makes it quite clear that they have no issues with promoting a potential risk."
There are no risks in transmitting the auth key/token. You don't understand how it works. I doubt AntVenom does either, but as described in his video, there are no security risks that exceed a simple java client to java server login.
Read this, and read the wiki on Yggdrasil, and maybe consider removing this post to avoid spreading misinformation.
www.reddit.com/r/admincraft/comments/2ajrm2/how_joining_a_server_works/
"emails and passwords are not sent to a server when you log in"
I know right? Why tf is OP just assuming random things?
I know right? Why tf is OP just assuming random things?
This is hilarious.... and pretty sad.
We're not talking about a server, we're talking about a PROXY server. How do you expect a proxy to get your credentials onto another server without... I dunno, forwarding it? And how is that done?
OMG.
We're not talking about a server, we're talking about a PROXY server. How do you expect a proxy to get your credentials onto another server without... I dunno, forwarding it? And how is that done?
OMG.
A proxy server authenticates your login the same way a normal one does. that's literally the entire point of it.
The ONLY WAY to log in to a Java server is to auth with mojang. Whether you auth with the mojang client, the geyser client, or some other 3rd party mod manager, it all goes to mojang, and the auth token comes back from mojang. The auth token is ONLY GOOD for logging into a server.
If your terribly drawn point is that you're typing a password into a geyser client, and not mojang's, you really should communicate that better. That risk comes with the platform, and there's legal repercussions that can be drawn over shared or leaked info. Plus, these products don't want to screw you over, they want you to support them. Leaking your $25 account creds would screw them more than it would screw you.
The ONLY WAY to log in to a Java server is to auth with mojang. Whether you auth with the mojang client, the geyser client, or some other 3rd party mod manager, it all goes to mojang, and the auth token comes back from mojang. The auth token is ONLY GOOD for logging into a server.
If your terribly drawn point is that you're typing a password into a geyser client, and not mojang's, you really should communicate that better. That risk comes with the platform, and there's legal repercussions that can be drawn over shared or leaked info. Plus, these products don't want to screw you over, they want you to support them. Leaking your $25 account creds would screw them more than it would screw you.
But HOW can a proxy server authenticate your account without knowing anything about you?
It's kinda obvious that you don't have a single clue about how this thing actually works.
It's kinda obvious that you don't have a single clue about how this thing actually works.
view more replies ( 1 )
While some of this is true, some normal servers have Bedrock & Java Edition compatibility that do use a proxy to connect, you don't HAVE to enter any sort of passwords for this. All they do is run an additional port with a plugin called Geyser and you'll just change your Bedrock / Pocket Edition port from it's default to the one created for the proxy.
