Had a rough time playing Minecraft today? There's a reason why.
A security flaw in Minecraft that allowed users to sign into strangers' accounts was exposed by security researchers Alex Vanderport and Keegan Novik when the Team Avolition duo posted a detailed advisory about the snafu on GitHub Saturday. The game's maker, Mojang, has promised the flaw is fixed.
The vulnerability left all migrated Minecraft accounts open to a malicious attack in which another users' accounts were accessible, leaving them open to exploits such as forced losses or allowing access to a privileged account. The vulnerability extends beyond the game, to personal computers as well.
The issue was caused by a lack of authentications for migrated accounts, allowing the session key from any account to access the migrated variety.
A malicious attacker can log on using any migrated account to any Minecraft server relying on Mojang Specifications' official authentication servers to verify user authenticity, the duo wrote in their security alert.
Mojang was quick to point out the flaw did not expose users' personal information or passwords. It addressed the issue on Sunday, taking its servers offline while patching the fix.
Woohoo! Things are back up and running perfectly, the company wrote on its web site. Thank you all for being patient while things were fixed. Also major props to Grum, Dinnerbone, and Leo who were out of bed and in to action in the blink of an eye!
The game's creator, Markus Persson, took particular issue with the timing of Vanderport and Novik's release.