Date: 07/16/25
Hey! I'm Faav, and this is how I hacked Minecraft Realms!
One day, I saw a tweet by CornerHard showing a new page on Minecraft.net to edit Realms.
https://x.com/CornerHardMC/status/1661112139111874562
You can now manage several of the settings of your Realms directly on Minecraft.net!
I started testing XSS payloads in the name and description fields, and tried changing the id to edit other peoples Minecraft Realms but nothing worked.
Then I began exploring the Invite feature and noticed that it wasn't URL encoding user input so I could use path traversal, #, and ?.
While randomly testing, I invited my own username with a # and for some reason it changed the Realms inviter/owner username.
I also realized I could use Minecraft formatting codes like &k to make my username show as random obfuscated characters.
Eventually, I discovered I could make the Realms inviter/owner username millions of characters long which crashed the game of whoever I invited (and in the Realms tab in the launcher).
A few months later, this was patched but I’m not sure of the exact date.