I'm an independent server pentester, and one of the most saddening things I see is when people with no understanding of systems security try to run a BungeeCord network. There seems to be one recurring flaw - people don't protect their game servers, whether that's with a firewall or with BungeeGuard/OnlyProxyJoin/IPWhitelist/etc. This obviously leaves many many servers vulnerable to severe issues such as UUID spoofing.

I feel that part of the issue is that security issues aren't made obvious enough to the less technically experienced of server admins. The offline-mode warning in the console often gets lost among plugin load messages, and many people don't read the startup logs for their servers. Another issue is with the following error message:

"If you wish to use IP forwarding, please enable it in your BungeeCord config as well!"

This message often gets dismissed - it doesn't make it obvious that this is a security-related issue. However, to a potential attacker, it gives a lot of information:

• This server is part of a BungeeCord network
• This server is in offline mode
• This server probably hasn't been properly protected and may be vulnerable

Over the last few weeks I have seen this particular error message and have been able to successfully carry out a UUID spoof exploit  (with the owners' permission) across nineteen individual servers. This flaw needs to be made more obvious in order to protect the many networks like this.