UPDATE: The vulnerability isn’t actually patched. The Session ID just doesn’t get printed to the log files any more.
On the 3rd March 2016, Mojang (The developers of Minecraft) released a new version of the Minecraft Launcher. Not much is known about what has changed between the old launcher version and the new launcher version. However, one thing that I noticed is that the Session ID was censored.
This is important, as it has patched a vulnerability where anyone could hijack a user’s session on the Mojang servers. With the Session ID, you could use any person’s account and potentially access their account. Their is even a Mod for Minecraft, allowing anyone to hijack a session. All the user needs, is the Session ID and the username. This modification could even join legitimate Minecraft servers with a random person’s account.
How long was this vulnerability unpatched?
I actually reported this to Mojang around half a year ago through their @MojangSupport account on twitter. I know now that I should have done it privately through the Minecraft Bug Report, but back then I didn’t have an account on the Minecraft Bug Report.
I reckon that the vulnerability has been there since 2012, but I’m not entirely sure.
How did you discover this vulnerability?
I saw a YouTube video showing off a hacked client for Minecraft 1.8. The mod / hacked client is called GarPloit. This hacked client allows the user to do the following things:
- Session Hijacker – The main exploit
- GhostHand – Opens chests and blocks through walls
- Speed Walk
- Block-Walker – Glitches through blocks and walls
- ChestFinder – Shows chests through walls
- Creative-Nuker – Destroys blocks in proximity to a player in Creative Mode
- Fullbright – Increases the gamma
- KillAura – Automatically attacks people with Macro-Clicker
- Lagger – Allows people to teleport around, can be used with Fly
- SlimeJumper – Increases Jump Distance on Slime Blocks
- /op Access – Ops the user on vanilla servers and servers with the /pex command
- Force OP – Fixed in servers running Minecraft 1.8.6 or later
As usual, it takes Mojang a while for them to fix security issues. I done another blog a while ago about a different security issue in Minecraft. You can read it here.
The video showing off the hacked client that I seen is here.