Controlling ServerId is enough to get an attacker logged in to any Minecraft Server as victim's account

[cyoung06]

To prevent this attack, you need to run some kind of code analysis, then make sure that

1. a code that uses joinServer api generates some secret stuff that goes into server id
2. that secret stuff is not sent to the party that client is talking to (the MITM)
3. if that secret stuff needs to be sent, it is only sent to the party that will do /hasJoined api call

It's practically impossible to prevent.