Yet Another Minecraft Vulnerability!

UPDATE: The vulnerability isn’t actually patched. The Session ID just doesn’t get printed to the log files any more.


On the 3rd March 2016, Mojang (The developers of Minecraft) released a new version of the Minecraft Launcher. Not much is known about what has changed between the old launcher version and the new launcher version. However, one thing that I noticed is that the Session ID was censored.

This is important, as it has patched a vulnerability where anyone could hijack a user’s session on the Mojang servers. With the Session ID, you could use any person’s account and potentially access their account. Their is even a Mod for Minecraft, allowing anyone to hijack a session. All the user needs, is the Session ID and the username. This modification could even join legitimate Minecraft servers with a random person’s account.

How long was this vulnerability unpatched?

I actually reported this to Mojang around half a year ago through their @MojangSupport account on twitter. I know now that I should have done it privately through the Minecraft Bug Report, but back then I didn’t have an account on the Minecraft Bug Report.

I reckon that the vulnerability has been there since 2012, but I’m not entirely sure.

How did you discover this vulnerability?

I saw a YouTube video showing off a hacked client for Minecraft 1.8. The mod / hacked client is called GarPloit. This hacked client allows the user to do the following things:

  • Session Hijacker – The main exploit
  • GhostHand – Opens chests and blocks through walls
  • SkinBlinker
  • Anti-Knockback
  • Fly
  • Speed Walk
  • Block-Walker – Glitches through blocks and walls
  • ChestFinder – Shows chests through walls
  • Creative-Nuker – Destroys blocks in proximity to a player in Creative Mode
  • ESP
  • FastLadder
  • Fullbright – Increases the gamma
  • KillAura – Automatically attacks people with Macro-Clicker
  • Lagger – Allows people to teleport around, can be used with Fly
  • Nofall
  • SlimeJumper – Increases Jump Distance on Slime Blocks
  • /op Access – Ops the user on vanilla servers and servers with the /pex command
  • Force OP – Fixed in servers running Minecraft 1.8.6 or later


As usual, it takes Mojang a while for them to fix security issues. I done another blog a while ago about a different security issue in Minecraft. You can read it here.

The video showing off the hacked client that I seen is here.


The link that could crash Google Chrome!

A few weeks ago there was a link released to the public that could crash Google Chrome. It looks like this: http://a/%%30%30

Note that this URL does not crash other browsers like IE, Edge or Firefox due to the way those browsers handle the URL.

The Basics

You cannot type certain characters into a URL, because they have special functions or are just unsupported. To make up for this, browsers understand a percent sign and a number after it as a character which it can decode to get the “real” URL. To understand why Google Chrome crashes, we must first decode the URL.

Decoding the URL

At the end of the URL is this: %%30%30 – %30 gets decoded to 0. It is the same 0 that you would type with your keyboard, and so, we have this: %00. If we decode it again, the %00 gets decoded to a NULL character, which is an invalid character for URLs.

Note that if you had just typed http://a/%00 the browser would detect it as an invalid URL and the bug would not work.

However with Google Chrome, before the decoder is run a second time, the URL is marked as a safe URL to use. Therefore, when Chrome tries to connect to that address, it fails and realises that the URL is invalid. This (for an unknown reason) causes Google Chrome to pop up a window saying “Something has gone terribly wrong here…” and kills Google Chrome.


When this URL was released to the public, I tested it with my browser that I am currently developing. My browser crashed as well. xD

I have fixed it if you were wondering 🙂

If you are reading this, the bug has already been fixed with Google Chrome. Chrome now changes the URL to http://a/%2500 to prevent crashes.

XSS and Twitter: The Self Retweeting Tweet

On the 11th of June 2014, this was released onto TweetDeck:

It is a script tag containing JQuery, which when executed in the browser, would automatically retweet itself without the users knowledge. Usually, Tweetdeck would have a filter on for this to convert every < and > into &lt; and &gt;

However, on the 11th of June 2014. this filter was turned off, which allowed XSS attacks like this to happen.

What the user would see

All the user would see is the red love heart, as the browser would automatically hide and execute anything inside the <script> tags. In this case, the code inside of the <script> tags only retweeted itself and then showed a message box saying “XSS in TweetDeck”, however the attacker could have done many things worse than that. He could have injected the victim with ransomware or even delete everything on TweetDeck. The possibilities are almost endless.


Any website that takes a user input (Whether it be usernames, questions or even random numbers) should never simply echo the user input back to the browser. Say for example the user puts this in their input: <b> – Everything on the page would turn bold, which would mess up the webpage.

Or let’s say that the user puts this in their input:

<script language=”JavaScript”>window.location.href = ""</script>

The user would then get redirected to

Final Summary

The point is that not filtering out html tags in a user input can lead you seriously vulnerable to XSS attacks and could infect the people that visit your website with malware.


Apparently BBC Wales and BBC Breaking News was affected by this XSS attack aswell 😀

Also, if you want to know how the XSS attack worked in more detail, there is a YouTube video by Tom Scott here:


The Security Risk of Minecraft 1.8

A few months ago, an exploit of Minecraft 1.8 was released to the public. This exploit involved forcing the Minecraft Client to download a malicious file from a 3rd-Party website or server. Once the severity of the exploit was seen by Mojang (The creators and owners of Minecraft), the exploit was quickly fixed in the next update of Minecraft, which was Minecraft 1.8.4.

Since then, the Minecraft developers have released several updates fixing other exploit/security risks and a minority of those exploits allowed players to get operator/administrator status on servers, which again was only fixed by Mojang once it had been revealed to the public.


If you find any exploit, vulnerability or security risk in any software (Including games), please report them the the developers/company that own that program. It is important that you do report them, as they could pose as a threat to your security later if they do get released to the public.


WordPress was comprimised!

WordPress was comprimised by the Nuetrino Exploit Kit.

This exploit kit installs backdoors on WordPress sites running older versions of the content management system (4.2 and older). It then redirects the victim through a series of iFrames to a landing page hosting a Flash exploit.

The exploit targets users running Internet Explorer and the victims computers are infected with CryptoWall 3.0 ransomeware.

Researchers of the Nuetrino Exploit Kit have said that the IP of the landing page is 185[.]44[.]105[.]17 which is registered to a “Max Vlapet” in Moscow.

Moreover, researchers say the goal of the exploit kit was to harvest credentials and inject an iFrame to redirect users to the landing page. They also said that people who are not using IE should not get the malciious iFrame and those using IE will not get attacked over and over again due to a cookie that the attackers injected.

The CryptoWall ransomware has recently been used in a lot of 0-day exploits leading some to believe that an APT group is behind this attack.

Like other ransomware, CryptoWall 3.0 encrypts files on a compromised computer and demands a ransom to decrypt them, usually over $400 in Bitcoin. This particular piece of ransomware uses numerous channels to communicate stolen traffic to its keepers, including I2P and Tor anonymity networks.


WordPress remains a soft spot for hackers and attackers and the Nuetrino Exploit Kit is still active. More often than not, attackers will find and exploit vulnerabilities in plugins (Such as Java and Flash), however there have been occasions where the WordPress Core Engine was attacked.

Also, if you haven’t noticed, this webpage is running on the WordPress Core engine, which is why I made this blog post and is why this is relevant.