Replace the username sent to the api with any valid username. Instead of using Mojang's modern join server authentication api, use the legacy authentication api.To reproduce this issue an attacker needs to follow the following steps. joinServer.jsp will accept any valid session id from a account for another account username so long as the session id is valid. This vulnerability seems to be caused by a failure to validate an account's ownership of the session token when logging into a server using the legacy Minecraft authentication API. Proprietary server modifications and source code.Depending on common server modifications, privileged accounts could be used to acquire access to the operating system, or cause serious damage to data on the machine, which includes but is not limited to common software and data found in unison with a Minecraft server such as: This can allow an attacker to gain access to players’ accounts causing losses within the game, or allow an attacker to gain access to a privileged account on the server. DescriptionĪ malicious attacker can log on using any Minecraft account to any Minecraft server relying on Mojang Specifications’ official authentication servers to verify user authenticity. This vulnerability affects all Minecraft accounts. Minecraft Account Session Vulnerability Security Advisory
0 kommentar(er)
