This meant I couldn't warn readers about the flaw before it was fixed.īut, I digress. Given I woke up too early to cover that one, I immediately passed out afterwards. I saw this vulnerability posted this morning but was already busy writing another story. I would also like to add that they should keep in mind I enjoy my Sundays quite a bit. Warning: There's a flaw in our minecraft auth system, do not trust it until it's fixed: Īlso, in the future, if hackers could please not find exploits in the middle of the night on weekends, that would be great, mk? I'll pass on everything I learn about what's going on, just woke up. We took down the auth servers until they've been fixed. The game's creator, Markus Persson (also known as Notch) said so much on Twitter: It's therefore very disappointing to see they decided to disclose it so much later, not to mention publicly instead of privately to Mojang. In their advisory, Vanderpot and Novik say they first exploited the bug on June 26, 2012. Also major props to Grum, Dinnerbone, and Leo who were out of bed and in to action in the blink of an eye!" A few hours later, a Mojang spokesperson stated: "Woohoo! Things are back up and running perfectly! Thank you all for being patient while things were fixed. The company first reacted by taking the authorization servers offline. All an attacker had to do was log in to Minecraft with a migrated account, store the session key, and then connect to a Minecraft server with a different migrated account's username and the stored session key.Īs already mentioned, Mojang has patched this flaw. More specifically, joinServer.jsp accepted any valid session key from a migrated account for another migrated account. The security flaw was caused by a failure to authenticate usernames with session IDs for migrated accounts.
Proprietary server modifications and source code.
Depending on common server modifications, privileged accounts could be used to acquire access to the operating system, or cause serious damage to data on the machine, which includes but is not limited to common software and data found in unison with a Minecraft server such as: This can allow an attacker to gain access to players’ accounts causing losses within the game, or allow an attacker to gain access to a privileged account on the server. Here's the description of the vulnerability:Ī malicious attacker can log on using any migrated account to any Minecraft server relying on Mojang Specifications' official authentication servers to verify user authenticity. The flaw only affected migrated Minecraft accounts I say this in the past tense because Mojang, the game's developer, has already fixed the issue in question. Security researchers Alex Vanderpot and Keegan Novik of Team Avolition last night posted a security advisory on GitHub detailing a vulnerability in Minecraft that allowed an attacker to easily gain access to your account.