December 2, 2016

Minecraft security flaw discovered and then quickly fixed

(LiveHacking.Com) – Security researchers Alex Vanderpot and Keegan Novik have discovered a  vulnerability in Minecraft, the creativity and sandbox building game,  that allowed an attacker to gain access to another users account. The flaw, which actually only affected migrated Minecraft accounts, was quickly fixed by the game’s developer Mojang. Although fixed, this discovery highlights again the flaws that can exist in web-based authentication systems.

The security advisory, which was posted on GitHub, reads as follows:

A malicious attacker can log on using any migrated account to any Minecraft server relying on Mojang Specifications’ official authentication servers to verify user authenticity. This can allow an attacker to gain access to players’ accounts causing losses within the game, or allow an attacker to gain access to a privileged account on the server. Depending on common server modifications, privileged accounts could be used to acquire access to the operating system, or cause serious damage to data on the machine, which includes but is not limited to common software and data found in unison with a Minecraft server such as:

  • Server map files
  • Operating system files
  • Player data
  • Database and webserver data
  • Proprietary server modifications and source code

The vulnerability existed because of a failure in the authentication system to correctly check the session IDs for migrated accounts. To exploit the vulnerability an attacker would log in with a migrated account, store the session key, and then connect again with a different migrated account’s username and the previously stored session key.

Unfortunately it doesn’t look like Vanderpot and Novik handled the disclosure of this bug very well. The advisory says that the pair first exploited the bug on June 26, 2012. At this point they should have contacted the developers privately, but instead they waited three weeks (to have fun???) and then released the details publicly.