Minecraft account impersonation security flaw disclosed, fixed

A vulnerability in Minecraft allowed gamers to login as somebody else and play around using their identity. Mojang has fixed the issue, which only affected migrated accounts.

Minecraft account impersonation security flaw disclosed, fixed

Security researchers Alex Vanderpot and Keegan Novik of Team Avolition last night posted a security advisory on GitHub detailing a vulnerability in Minecraft that allowed an attacker to easily gain access to your account. The flaw only affected migrated Minecraft accounts; I say this in the past tense because Mojang, the game's developer, has already fixed the issue in question.

Here's the description of the vulnerability:

A malicious attacker can log on using any migrated account to any Minecraft server relying on Mojang Specifications' official authentication servers to verify user authenticity. This can allow an attacker to gain access to players’ accounts causing losses within the game, or allow an attacker to gain access to a privileged account on the server. Depending on common server modifications, privileged accounts could be used to acquire access to the operating system, or cause serious damage to data on the machine, which includes but is not limited to common software and data found in unison with a Minecraft server such as:

  • Server map files
  • Operating system files
  • Player data
  • Database and webserver data
  • Proprietary server modifications and source code

The security flaw was caused by a failure to authenticate usernames with session IDs for migrated accounts. More specifically, joinServer.jsp accepted any valid session key from a migrated account for another migrated account. All an attacker had to do was log in to Minecraft with a migrated account, store the session key, and then connect to a Minecraft server with a different migrated account's username and the stored session key.

As already mentioned, Mojang has patched this flaw. The company first reacted by taking the authorization servers offline. A few hours later, a Mojang spokesperson stated: "Woohoo! Things are back up and running perfectly! Thank you all for being patient while things were fixed. Also major props to Grum, Dinnerbone, and Leo who were out of bed and in to action in the blink of an eye!"

In their advisory, Vanderpot and Novik say they first exploited the bug on June 26, 2012. It's therefore very disappointing to see they decided to disclose it so much later, not to mention publicly instead of privately to Mojang. Furthermore, the timing was very poor. The game's creator, Markus Persson (also known as Notch) said so much on Twitter:

We took down the auth servers until they've been fixed. I'll pass on everything I learn about what's going on, just woke up. ‪#groggy‬

Warning: There's a flaw in our minecraft auth system, do not trust it until it's fixed: http://www.reddit.com/r/Minecraft/comments/wl0zy/psa_exploit_in_minecraft_login_server_hackers_can/

Also, in the future, if hackers could please not find exploits in the middle of the night on weekends, that would be great, mk?

I agree. I would also like to add that they should keep in mind I enjoy my Sundays quite a bit. I saw this vulnerability posted this morning but was already busy writing another story. Given I woke up too early to cover that one, I immediately passed out afterwards. This meant I couldn't warn readers about the flaw before it was fixed.

But, I digress. The point is this should have been responsibly disclosed directly to Mojang as soon as it was discovered. Thankfully the problem was quickly resolved.

See also: