Hacking Minecraft Realms: Spoofing Realms Owner _{^{(Crashing Minecraft)}}

Date: 07/16/25

Hey! I’m Faav, and this is how I hacked Minecraft Realms!

One day, I saw a tweet by CornerHard showing a new page on Minecraft.net to edit Realms.

https://x.com/CornerHardMC/status/1661112139111874562

You can now manage several of the settings of your Realms directly on Minecraft.net!

I started testing XSS payloads in the name and description fields, and tried changing the id to edit other peoples Minecraft Realms but nothing worked.

Then I began exploring the Invite feature and noticed that it wasn’t URL encoding user input so I could use path traversal, #, and ?.

While randomly testing, I invited my own username with a # and for some reason it changed the Realms inviter/owner username.

I also realized I could use Minecraft formatting codes like &k to make my username show as random obfuscated characters.

Eventually, I discovered I could make the Realms inviter/owner username millions of characters long which crashed the game of whoever I invited (and in the Realms tab in the launcher).

A few months later, this was patched but I’m not sure of the exact date.

> Star or leave a comment on GitHub! (or follow me)

Hacking Minecraft Realms: Spoofing Realms Owner (Crashing Minecraft)

Hacking Minecraft Realms: Spoofing Realms Owner _{^{(Crashing Minecraft)}}