Yet Another Minecraft Vulnerability!

UPDATE: The vulnerability isn’t actually patched. The Session ID just doesn’t get printed to the log files any more.

 

On the 3rd March 2016, Mojang (The developers of Minecraft) released a new version of the Minecraft Launcher. Not much is known about what has changed between the old launcher version and the new launcher version. However, one thing that I noticed is that the Session ID was censored.

This is important, as it has patched a vulnerability where anyone could hijack a user’s session on the Mojang servers. With the Session ID, you could use any person’s account and potentially access their account. Their is even a Mod for Minecraft, allowing anyone to hijack a session. All the user needs, is the Session ID and the username. This modification could even join legitimate Minecraft servers with a random person’s account.

How long was this vulnerability unpatched?

I actually reported this to Mojang around half a year ago through their @MojangSupport account on twitter. I know now that I should have done it privately through the Minecraft Bug Report, but back then I didn’t have an account on the Minecraft Bug Report.

I reckon that the vulnerability has been there since 2012, but I’m not entirely sure.

How did you discover this vulnerability?

I saw a YouTube video showing off a hacked client for Minecraft 1.8. The mod / hacked client is called GarPloit. This hacked client allows the user to do the following things:

  • Session Hijacker – The main exploit
  • GhostHand – Opens chests and blocks through walls
  • SkinBlinker
  • Anti-Knockback
  • Fly
  • Speed Walk
  • Block-Walker – Glitches through blocks and walls
  • ChestFinder – Shows chests through walls
  • Creative-Nuker – Destroys blocks in proximity to a player in Creative Mode
  • ESP
  • FastLadder
  • Fullbright – Increases the gamma
  • KillAura – Automatically attacks people with Macro-Clicker
  • Lagger – Allows people to teleport around, can be used with Fly
  • Nofall
  • SlimeJumper – Increases Jump Distance on Slime Blocks
  • /op Access – Ops the user on vanilla servers and servers with the /pex command
  • Force OP – Fixed in servers running Minecraft 1.8.6 or later

Summary

As usual, it takes Mojang a while for them to fix security issues. I done another blog a while ago about a different security issue in Minecraft. You can read it here.

The video showing off the hacked client that I seen is here.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s