Hi everyone! Last week, an issue was found by a member of our Discord (Silas), where the MCJukebox plugin could authenticate as a server without the necessary API key. It was resolved by a server update on the same day, and there’s no need to update the plugin.
No personal information was accessible, and none of your server’s settings could have been changed. However, if you consider any of the audio URLs you use private, I would suggest removing the file and uploading it at a new URL. Additionally, if there are secrets in your CSS, translations or audio URLs - which in general, I would strongly advise against - I would suggest changing these at the earliest opportunity.
The issue came to light when a server owner noticed the audio client was styled differently to theirs. Additionally, typing /jukebox showed a custom connection message, and importantly one they didn’t recognise.
I identified a problem where when server A’s connection to MCJukebox was quickly followed by a connection from server B, server B could be authenticated as if it had used A’s API key.
API keys have limited use, so only a small amount of data would have been affected (and only if your server was by chance in A’s position):
- Your custom strings/translations set in the admin panel would have been sent to server B.
- Server B would be able to send people to your audio client.
- Any audio commands issued by server B would have been sent to the audio client of server A. Server B could use this to send audio to any player on server A, even if they had never connected to server B.
- Requests sent by server B to players (online or offline) would be saved against that player’s track history for server A. The last played track for a given player would then be played to them if they joined server A. To address this, I recently cleared the history for all servers.
Thanks for taking the time to read this, and for your understanding. If there are any questions, I’d be happy to answer on Spigot, or at [email protected]