14 DAY TRIAL // Team Avolition researchers Alex Vanderpot and Keegan Novik have identified a serious security hole that could have been leveraged to access Minecraft user accounts. Fortunately, the game’s developer rushed to address the issue.
According to the experts, only migrated Minecraft accounts were affected by the flaw.
“A malicious attacker can log on using any migrated account to any Minecraft server relying on Mojang Specifications’ official authentication servers to verify user authenticity,” they explained.
“This can allow an attacker to gain access to players’ accounts causing losses within the game, or allow an attacker to gain access to a privileged account on the server.”
Furthermore, if unfixed, the vulnerability could permit the attacker to leverage privileged accounts in order to gain access to the operating system and the data stored on the Minecraft servers.
After learning of the problem, the developer – Mojang – took down the authorization servers and addressed the problem on July 15, one day after the researchers published their findings.
“Woohoo! Things are back up and running perfectly! Thank you all for being patient while things were fixed. Also major props to Grum, Dinnerbone, and Leo who were out of bed and in to action in the blink of an eye!” Mojang’s Lydia Winters wrote after a short while.
Markus Persson, the owner of Mojang, has reassured gamers that passwords or other personal details haven’t been exposed.
As ZDNet’s Emil Protalinksi highlights, it’s interesting that Vanderpot and Novik discovered the flaw on June 26. However, they didn’t contact the developer directly, but instead they chose to publish the reproduction details.
We have seen many situations in which the researcher decides to disclose a vulnerability in an attempt to attract the attention of a vendor that is ignoring his work. However, we urge security experts to practice responsible disclosure when possible, since it’s the best way to ensure that their findings will not be misused.