Modernizing Authentication — What It Takes to Transform Secure Access
Researchers Alex Vanderpot and Keegan Novik recently uncovered a vulnerability in Minecraft that provided attackers with access to user accounts.
"The security flaw was caused by a failure to authenticate usernames with session IDs for migrated accounts," writes ZDNet's Emil Protalinski. "More specifically, joinServer.jsp accepted any valid session key from a migrated account for another migrated account. All an attacker had to do was log in to Minecraft with a migrated account, store the session key, and then connect to a Minecraft server with a different migrated account's username and the stored session key."
"After learning of the problem, the developer -- Mojang -- took down the authorization servers and addressed the problem on July 15, one day after the researchers published their findings," writes Softpedia's Eduard Kovacs. "'Woohoo! Things are back up and running perfectly! Thank you all for being patient while things were fixed. Also major props to Grum, Dinnerbone, and Leo who were out of bed and in to action in the blink of an eye!' Mojang’s Lydia Winters wrote after a short while."
"Mojang was quick to point out the flaw did not expose users' personal information or passwords," International Business Times reports. "It addressed the issue on Sunday, taking its servers offline while patching the fix. ... The game's creator, Markus Persson, took particular issue with the timing of Vanderport and Novik's release. 'In the future, if hackers could please not find exploits in the middle of the night on weekends, that would be great, mk? Persson wrote on his Twitter account."