Yep, the title explains it all. I’m putting my first Minecraft world up for download.
This world was created in Minecraft 1.4.2 in 2012. It was then updated to MC 1.6 then 1.7.10 then 1.8.9. I stopped building in this world 2 years ago when I became interested in resource packs.
The world is supposed to be a city, although my command block area kinda destroyed it 😛 I made it with my brother back in 2012 and 2013.
This was a creative world, although occasionally I did switch into survival.
UPDATE: The vulnerability isn’t actually patched. The Session ID just doesn’t get printed to the log files any more.
On the 3rd March 2016, Mojang (The developers of Minecraft) released a new version of the Minecraft Launcher. Not much is known about what has changed between the old launcher version and the new launcher version. However, one thing that I noticed is that the Session ID was censored.
This is important, as it has patched a vulnerability where anyone could hijack a user’s session on the Mojang servers. With the Session ID, you could use any person’s account and potentially access their account. Their is even a Mod for Minecraft, allowing anyone to hijack a session. All the user needs, is the Session ID and the username. This modification could even join legitimate Minecraft servers with a random person’s account.
How long was this vulnerability unpatched?
I actually reported this to Mojang around half a year ago through their @MojangSupport account on twitter. I know now that I should have done it privately through the Minecraft Bug Report, but back then I didn’t have an account on the Minecraft Bug Report.
I reckon that the vulnerability has been there since 2012, but I’m not entirely sure.
How did you discover this vulnerability?
I saw a YouTube video showing off a hacked client for Minecraft 1.8. The mod / hacked client is called GarPloit. This hacked client allows the user to do the following things:
- Session Hijacker – The main exploit
- GhostHand – Opens chests and blocks through walls
- Speed Walk
- Block-Walker – Glitches through blocks and walls
- ChestFinder – Shows chests through walls
- Creative-Nuker – Destroys blocks in proximity to a player in Creative Mode
- Fullbright – Increases the gamma
- KillAura – Automatically attacks people with Macro-Clicker
- Lagger – Allows people to teleport around, can be used with Fly
- SlimeJumper – Increases Jump Distance on Slime Blocks
- /op Access – Ops the user on vanilla servers and servers with the /pex command
- Force OP – Fixed in servers running Minecraft 1.8.6 or later
As usual, it takes Mojang a while for them to fix security issues. I done another blog a while ago about a different security issue in Minecraft. You can read it here.
The video showing off the hacked client that I seen is here.
A few months ago, an exploit of Minecraft 1.8 was released to the public. This exploit involved forcing the Minecraft Client to download a malicious file from a 3rd-Party website or server. Once the severity of the exploit was seen by Mojang (The creators and owners of Minecraft), the exploit was quickly fixed in the next update of Minecraft, which was Minecraft 1.8.4.
Since then, the Minecraft developers have released several updates fixing other exploit/security risks and a minority of those exploits allowed players to get operator/administrator status on servers, which again was only fixed by Mojang once it had been revealed to the public.
If you find any exploit, vulnerability or security risk in any software (Including games), please report them the the developers/company that own that program. It is important that you do report them, as they could pose as a threat to your security later if they do get released to the public.