Hacking in The Blockheads: A look into why it happens, how it happens, and how we can fix it

Clarification: By “hacker”, I’m actually talking about “skids”, or “script kiddies”.

Part 1: The Problem
Alright, almost every server owner has gone through this before. You’re moderating your server while having fun with your regular server members when suddenly, another person joins. “Great, another fun person to join our community”, you would likely think. However, that thought quickly evaporates when they start spawning in hacked items, and one-hit-killing everyone present in the server. You quickly ban them, but it is too late. The damage has been done, and your server has been trashed by countless hacked items, invisible walls, and hacked blocks. Why could have this happened, and most importantly, why is it still possible to do this? The blockheads has gone through innumerable updates. Why hasn’t this been patched yet?

Part 2: The Cause
To understand why this is a problem in the blockheads, let’s first take a look at other online games, for example, online blackjack games. In almost all instances of online blackjack games, you open up the site, and the game loads the game, and its user interface. However, in the back-end, things aren’t so simple. First of all, the site would load the game interface, and connect to the game server. The server would send the game information, such as your cards, the dealer’s card, and other vital information. The server would never send any information that you’re not supposed to see, and all information is stored in the server. When you make a move, the game would send a packet of information into the game’s API, such as, {move:"hit"}. The server would then check if it is your turn, and check if the option is valid. Then, it would execute the move, modify your card information, and send the updated card information to the client. The client’s card information is never sent to the server. This way, it is not virtually possible to modify anything that you aren’t supposed to be modifying, unless you gain access to the server, which is nearly impossible. Almost all games work like this. In the blockheads, you join the server, and the server sends basic information regarding the server such as the welcome message, your starting items, and the world itself. There is currently no known possible way to modify the world illegally, but I wouldn’t be surprised if it was possible. The way the game handles your player, is that almost all information regarding your player is stored on the client side, and when you modify something on the client side, such as your items, the server believes that you indeed, have the items, and 100% trusts that you had not gotten them illegally. Furthermore, you can do anything with those illegally gained items, and the server will 100% trust any actions you do with those items. Your inventory is just the tip of the iceberg. Much more information is stored solely on the client side, such as your health, hunger, happiness, and other player data. That way, you can modify anything about your player, and the game will follow through, and trust that it is not modified illegally in any way. This is a major issue, which allows any player to modify any data they have. World data is a little confusing, since I do not have any knowledge on how servers handle breaking and placing blocks and items. If the client sends a packet of data such as “break block at x, y”, or “place block at x, y with block z”, then it would depend on if the server was verifying the actions, and making sure that the blocks was legitimately accessible. Servers seem to verify ownership of the block being placed/broken, which is good. However, if ownership signs are the only thing it verifies, that would mean that it would be possible to develop a script that completely destroy any block that was not protected by an ownership sign, or completely fill the entire world with a certain block, such as invisible walls. This is another issue. With the servers completely trusting every player’s actions without questioning the legitimacy, hacking will not be possible to solve.

Part 3: The Solution
To find out how we can solve this, we must first take a look into another game that deals with blocks, and servers: Minecraft. How Minecraft deals with servers, is first, every player’s data is stored in the server, almost no data is stored in the client, and illegally obtained items will be deleted immediately. When you pick up an item in Minecraft, the server will try and see if you legitimately obtained the item, and you did not cheat it in. If the item suddenly appearing in your inventory without getting it legitimately, the server discards the request from your client, to add the item to the server. This is known as “ghost items”. Another thing that is stored in the server, is health. If you try to change your health to an invalid amount, again, the server would discard the request. The Minecraft anti-cheat is by no means perfect. There are still many cheats and exploits, such as flying, and some movement hacks. However, most of these are impossible for the vanilla anti-cheat to detect, as machines aren’t smart enough to calculate some things yet. However, it can still prevent almost all game breaking exploits. Back to the blockheads. What can we do to solve hacking? First of all, there is no such thing as an anti-cheat that prevents 100% of hacks. There will always be one or two hacks that aren’t fixed. However, it would be fairly simple to solve godmode (health exploit), and item exploits to be fixed. Simply store the inventory data in the server side, and if the player picks up an item, take an item from a chest, or obtain the item some other way, it would be easy for the server to just know “oh, this event says ‘pick up item’, is it there? oh, it is. ill update the player inventory with the picked up item, and send it to the client”. It’s very simple. Most events and calculations are done in the client side. This needs to stop. Deciding what item you obtain when you pick up an item, or your health, is not up to your client to decide. The server needs to perform the calculations, and tell your client the data. Don’t give the client the original. Give the client a photocopied version, and send them updates when it changes. Ultimately, too many operations are done in the client side, and a majority of them need to be moved to the server.

Part 4: A Conclusion
The blockheads is a simple game. Originally, the game would have been single-player only. Later, they would have added LAN, and finally servers. However, the same code in LAN is used for servers, where it trusts everything the client gives the server. Dave needs to make the server less trusting of the client, store less information in the client, store more information in the server, and require confirmation that things are legitimate, or the blockheads hacking will never be solved.

In the end, it won’t matter. Fixing hacks would only make the game more fun while the game’s community still lasts. Eventually, the game will be shut down, as with everything, so let’s make it more fun for us, while we’re still here.


Thank you for bringing issue to attention. I hope Dave still reads the wiki.

When a player cares about the game community more than the developer himself


I think that Milla can forward this topic to him.

1 Like

I can’t find a post anywhere, but I think Dave is aware of this idea, and at this point I don’t think it’s worth the effort. He’d have to seriously redo some stuff and, let’s be real, the game just isn’t where it used to be popularity wise. This does make a lot of sense to do, but unless people start playing again and popularity picks up, I don’t know if it will happen.


TheBest1Ever pretty much hit the nail on the head. Even 5 years ago when Dave was still very much involved with the game and doing updates, he saw the overhead of securing the game servers as way too problematic and time consuming to attempt. It would essentially be a total overhaul and he’s just one guy. Suggestions were given on how to make it more secure, but those fixes were very likely to lead to other problems that would impact legit game play and Dave didn’t want to risk it.

I’ve been witness to another beloved game that also suffered from vulnerabilities that cost the developers serious revenue. That game had to shut down because they had a big dev team they could no longer support and also the startup debt had to be repaid. There was no way to support the servers. So at least we still have a game!


We need a major youtuber to hype this game up.


Dave has likely stopped working on the blockheads, as he’s probably working more on his other game.


Yes, you just effectively answered to your own original post.


The goal of this post isn’t just to try to get hacking fixed. It’s more to inform people about the causes.


Which wiki?


This wiki.

This isn’t a wiki. It’s a bulletin board, hence my confusion.

Yes, he does, but not much. He employs me to look after it so he can focus on his work.


No. A forum is a sub-unit of a bulletin board. A thread is a sub-unit of a forum. A post is a sub-unit of a thread.


If you have pvp disabled (unless ur a pvp server) you could prevent the one hit kill. Also weren’t flax mats disabled just like unmined stone and etc?

Also a tip, if you tap the minature blockhead with the number of players on it, you can see all the players, check their names, and choose to instantly ban them there.

Also to spawn in a hacked or illegal item the hacker would have to replace the item value for the items in their inventory. You firstly have to know the item id, and have to actually have items to be replaced as the illegal item. This means spawning in a max number of 7 items. (The spade, basket, and 5 fruits automatically set in your inventory).

Of course, the hacker could just buy the items but to spawn many different types they would need to change the item id value in their inventory multiple times (Takes about 20 seconds each time).

However, not only this, but many item ids are invalid, making them “unknown” but also invisible. by being unknown you cannot pick it up but also if it is invalid you wouldn’t even notice it’s there.

To help against this problem, make sure you use safes so the hackers cannot remove their contents. Also, put trade portals in a seperate area or a few blocks away. This way if a hacker spawns in 99 of say baskets, you would have to remove them slowly and instead could (another piece of advice) have the baskets fall into a hole all the way down to magma.

Also, can we have some more awareness about what is and isnt a hacker? Sometimes having special characters in my name like ••• because the name was already chosen but to make it appear as “SKY4” Gets me banned!

It may be that you’re being banned for appearing to impersonate someone else, rather than for suspected hacking.