Lockette. What a wonderful server-side plugin for Minecraft' Bukkit servers. Being a plugin that allows players to protect their chests from being opened by other players, it is often the heart of survival-oriented servers, and the primary protection method for players. Unlike some other Bukkit protection plugins, it doesn't give you up if your database goes down or something else breaks. So it would seem that it would mostly prevent players from stealing items from each other...
Well, currently it does not.
Nor do some other plugins. This post explains how and why.
In essence, the whole problem can be pictured with following animation:
In March this year, Minecraft 1.5 "Redstone update" came out. Among other changes, it introduced hoppers and hopper minecarts, both of which are able to pull items from containers above them. This sure is a pretty cool mechanic, finally allowing players to construct fully automatic farms and other mechanisms without installing third-party mods. But, there's also a downside - third-party plugins (and specifically server-side ones) initially do not support hoppers, allowing unauthorized item withdrawal (via hoppers) in particular. This is not a game breaking issue for most plugins, but for ones offering container protection, it is.
Obtaining items from a protected chest is oddly easy. To do this, you need a hopper minecart (composed from a minecart and a hopper), a piece of rail (to place the minecart), and a (victim) chest which has empty space underneath it. Hopper minecart is to be placed on rails, taken off the rails, and pushed underneath the chest:
Once under the chest, hopper will "suck out" items out of chest until either hopper is full, or chest became empty. Items can be taken out of hopper to free space for new items.
Once chest has been emptied, hopper minecart can be either pushed away, or broken to redeem it's contents and crafting parts.
Plugin versions affected
Lockette: all so far (≤ 1.7.12)
LWC: all so far(≤ 4.3.1)
Process of fixing this issue is currently a bit of mess. While Lockette was recently updated to fix stealing via normal hoppers (blocks), minecart hoppers still work. LWC, on other hand, seems to be still of version released in March, meaning that both blocks and minecarts may take out items from chests.
One of temporary countermeasures is installation of an area protection plugin (so that players can protect their near-chest areas from modification), along with warning players to not leave "flying" chests with valuables.
This post was actually going to be just about the Lockette plugin bug, but testing has shown that LWC shares this behaviour. ChestShop, on other hand, has an interesting approach for this - items can not be taken out of shop chests anyhow, however they can be deposited into them, provided that a hopper is connected correctly (which is only possible if you are the shop owner). This allows a number of interesting mechanics, such as organizing redstone networks to automatically harvest items and deliver them to shops for sale.