[WEB-3566] Duplicated nicknames with different case of letters

Helllo and helllo,

https://sessionserver.mojang.com/session/minecraft/profile/7211ae0b-db3f-4680-ae7c-b34f2c4befc0

https://sessionserver.mojang.com/session/minecraft/profile/ba5d76c5-d2fb-41c4-88e7-f54552632f7d

These users have the same nicknames, but with the different case of letters. How it is possible? Is there any possibility to fix this bug in the entire database to prevent any problems on Java Edition servers?

Best Regards,

k0l0r3k99

Comments 3

SirKillian 2020-12-08T17:50:30Z

Yesterday (Dec 7, 2020) we had 2 users with the usernames "Prz" and "prz" log in to our server. This caused a few issues with our databases and plugins as expected.

[11:05:09] [User Authenticator #81/INFO]: UUID of player Prz is 9a066737-945e-4083-9ad9-b22269f17a5d
[11:05:19] [User Authenticator #81/INFO]: UUID of player prz is e74ad591-1088-4062-a185-35c39759b7b3

After doing a little bit of research and passing a day later, we noticed the namemc page for "prz" (lowercase one) had changed and no longer mentioned the username "prz" at all. We assumed it was an issue with namemc so we then proceeded to use the Mojang API.

When we use the Mojang API to check their username history using https://api.mojang.com/user/profiles/e74ad59110884062a18535c39759b7b3/names the history does not mention "prz" at all, even though, that was the UUID the user had at the time of logging in to our server.

Hopefully this little additional information helps!

Sagishii 2020-12-10T17:26:58Z

The accounts were created due to a bug in the system where the giftcard name endpoint (https://api.minecraftservices.com/minecraft/profile) didn’t have a ratelimit so you were able to spam that endpoint as well as the name change endpoint together to create duped account usernames. (This does not work anymore as they added a ratelimit)

These are all the known dupe accounts created using this method (they have all been reverted as of 3 days ago)

e9t - [00e2ab9b6b2f4f41b7efb55d5169f0b8] Prio
E9T - [ef31f67558f2450394b75c30ade468af]

k7u - [149e53fdecc24c6180a71c4e8e9c659a] Prio
K7U - [4be171405292485787c1e4ba8fb90207]

Prz - [9a066737945e40839ad9b22269f17a5d] Prio
prz - [e74ad59110884062a18535c39759b7b3]

GFY - [374108f2c1704189a8913bfc4c0fe459] Prio
Gfy - [e25ba3611790496eaf015cd3b7ee446b]

YBD - [372d671cb16c4aa997d466e8ac297683] Prio
ybd - [8af6db3ecddb464e80573eaa1f1e4e59]

UM4 - [f16f1a450a2a42ad8e64147a0556e6cb] Prio
Um4 - [1e20fa4a368f407780cf69ebc110ebf5]

HENT - [228695a1f5ef4565bd499cc687245309]
hent - [8f472e7e74da44f1af068822ba874a37] Prio

Zonix - [44de0b9f0d1b49f6a94e735dc071ff3f]
zonix - [08bfd320bf7646bd84d9229c96b596f1] Prio

sundae - [56778399e9874150a21da56c1839cf2b]
Sundae - [84411aad35ac496abc646d76c07b854d] Prio

helllo - [7211ae0bdb3f4680ae7cb34f2c4befc0] Prio
Helllo - [ba5d76c5d2fb41c488e7f54552632f7d]

CONDITIONER - [511a0663afe94084a42e0799c1ea023f] Prio
Conditioner - [0556c7b3b34941ce8de27a1c8f56e2fc]

LoveMePlease - [10627754f045405bac86bb47904d8cd4] Prio
LOVEMEPLEASe - [19ce6f864ac54238810bcc76a7225bfc]

(credit to mew for the list <3)

Ined 2021-09-13T13:54:07Z

Sounds like we've added ratelimit on the endpoint and reverted the affected names, so I'm closing this.