Minecraft Migrated Account Session Vulnerability Security Advisory (opens in new tab)

(gist.github.com)

29 pointswedtm13y ago13 comments

13 comments

13 comments · 3 top-level

pilif13y ago· 8 in thread

I see no mention of notifying Mojang. And even if they did and Mojang is late with patching, I don't think it's very nice to post a public report on a weekend. Mojang is still a comparably small company and I'm sure nobody there is thrilled about fixing security flaws over the weekend.

This is, IMHO, not totally what I would call responsible disclosure.

Scaevolus13y ago

Team Avolition is a griefing group that commonly targets Minecraft-- I'm surprised that they're releasing the exploit at all.

From @notch: "We took down the auth servers until they've been fixed. I'll pass on everything I learn about what's going on, just woke up. ‪#groggy‬" "Also, in the future, if hackers could please not find exploits in the middle of the night on weekends, that would be great, mk?"

Smerity13y ago

It's unlikely the case here but responsible disclosure is not always so simple and can make 0-day public disclosure a "reasonable response".

I have heard of cases where informing the company of a vulnerability and telling them "I will publicly disclose the vulnerability in N days" has resulted in security researchers being taken to court as a "blackmail attempt". Annoyingly I can't find the case I'm thinking of (though I've found numerous other unsettling ones such as [1]) but will update this comment if I do. One example of such madness is Dmitry Sklyarov[2] who was arrested under the DMCA's anti-circumvention laws for revealing that an e-book vendor used ROT13 to encrypt their documents.

A useful introduction to the complexity of public and responsible disclosure can be seen at the EFF's Vulnerability Reporting FAQ[3].

[1]: http://www.scmagazine.com.au/News/276780,security-researcher...

[2]: http://en.wikipedia.org/wiki/Dmitry_Sklyarov

[3]: https://www.eff.org/issues/coders/vulnerability-reporting-fa...

rmc13y ago

Yes, that approach is the wrong approach. "Responsible Disclosure" works both ways. The company with the software gets the vulnerability before the public, but they have to not try to sue/prosecute the security researcher. If companies are known to attack security researchers like you mention, then they can forget about responsible disclosure. Those companies will find out about vulnerabilities in the newspapers. Can't have your cake and eat it.

DanBC13y ago

> It's unlikely the case here

Especially given the fact that Notch and Mojang have played Quake with Team Avo members.

Maxious13y ago

The gist is only 4 hours old but it was seen in the wild days ago: http://forums.bukkit.org/threads/a-player-named-notch-logged... http://www.reddit.com/r/admincraft/comments/wc2ey/notch_sess...

A different set of blackhats "Team Nodus Griefing" had it before the gist was up and fell into a honeypot (with packet capture to find the exploit) set by Mojang's Bukkit team and the reddit mods: http://www.reddit.com/r/Minecraft/comments/wl0zy/psa_exploit...

So I don't think this was meant to be responsible disclosure, it was more laying out the facts to get some internet cred ;)

ne0codex13y ago

It seems like there exists a simple temporary fix for servers—to not use minecraft authentication, which seems like a very viable temporary solution while this exploit gets the proper attention. (such as x-auth that the author mentions or the server immediately asking the user to enter a password when connected via console)

aroman13y ago

They are well aware: http://www.mojang.com/2012/07/houston-we-have-a-problem/

mollstam13y ago

Notification is always good, can't really complain if it's on the weekend or public or not. :]

buttscicles13y ago· 2 in thread

I'd have thought ensuring a session ID was only valid for a single account would have been the first thing to test when developing an authentication system. Perhaps not in Sweden.

mollstam13y ago

Yes, because it was clearly not a bug.

buttscicles13y ago

It's obvious it was a bug introduced somewhere, (actually seemed like something was commented out for testing purposes and was forgotten about to me, maybe that's just because I'm forgetful though) but I'd have hoped there are a few tests that are run before an update is made live which would include something like this.

Props for the speedy fix though.

alt_13y ago

"UPDATE: Woohoo! Things are back up and running perfectly! Thank you all for being patient while things were fixed. Also major props to Grum, Dinnerbone, and Leo who were out of bed and in to action in the blink of an eye!"[0]

[0] http://www.mojang.com/2012/07/houston-we-have-a-problem/

j / k navigate · click thread line to collapse

13 comments

13 comments · 3 top-level

pilif13y ago· 8 in thread

This is, IMHO, not totally what I would call responsible disclosure.

Scaevolus13y ago

Team Avolition is a griefing group that commonly targets Minecraft-- I'm surprised that they're releasing the exploit at all.

Smerity13y ago

It's unlikely the case here but responsible disclosure is not always so simple and can make 0-day public disclosure a "reasonable response".

A useful introduction to the complexity of public and responsible disclosure can be seen at the EFF's Vulnerability Reporting FAQ[3].

[1]: http://www.scmagazine.com.au/News/276780,security-researcher...

[2]: http://en.wikipedia.org/wiki/Dmitry_Sklyarov

[3]: https://www.eff.org/issues/coders/vulnerability-reporting-fa...

rmc13y ago

DanBC13y ago

> It's unlikely the case here

Especially given the fact that Notch and Mojang have played Quake with Team Avo members.

Maxious13y ago

The gist is only 4 hours old but it was seen in the wild days ago: http://forums.bukkit.org/threads/a-player-named-notch-logged... http://www.reddit.com/r/admincraft/comments/wc2ey/notch_sess...

So I don't think this was meant to be responsible disclosure, it was more laying out the facts to get some internet cred ;)

ne0codex13y ago

aroman13y ago

They are well aware: http://www.mojang.com/2012/07/houston-we-have-a-problem/

mollstam13y ago

Notification is always good, can't really complain if it's on the weekend or public or not. :]

buttscicles13y ago· 2 in thread

I'd have thought ensuring a session ID was only valid for a single account would have been the first thing to test when developing an authentication system. Perhaps not in Sweden.

mollstam13y ago

Yes, because it was clearly not a bug.

buttscicles13y ago

Props for the speedy fix though.

alt_13y ago

[0] http://www.mojang.com/2012/07/houston-we-have-a-problem/

j / k navigate · click thread line to collapse