Recent Minecraft exploit

Discussion in 'Minecraft Discussion' started by CosmoConsole, Jun 23, 2015.

  1. https://www.reddit.com/comments/3asb21

    According to this, it's possible to join any server with any account as long as you know the username and the session ID. Therefore anyone who has posted client logs with recent session IDs may be vulnerable to being impersonated anywhere.

    I haven't been able to find the video that is being referenced, so I'm not fully sure whether this is real or mainly (or entirely) FUD.
     
  2. It could not be fixed from Spigot and will not easily get fixed by Mojang (because of laziness?) anyways. Right now I'll just suggest everyone not to post your crash reports/logs in a public place.
     
  3. Wow mojang are really on a roll with these exploits. This was a massive mistake back in 1.2.5, I thought they resolved it..

    Looking more into this, periodically changing the key pair would fix it? With from what I can see.. No side effects but a little performance..

    {NMS}.DedicatedServer#a(MinecraftEncryption.b());

    Pretty much voiding the session key, and you'd have to log in with the token.
     
    #3 _Cory_, Jun 23, 2015
    Last edited: Jun 23, 2015
  4. Which is why this is in 'Minecraft Discussion', not in a Spigot category.
     
  5. JamesJ

    Supporter

    Mojang; a 2.5 Billion dollar company, that still hasn't fixed boats.
    And they still let these sort of exploits get through their 'testing'.
     
    • Like Like x 1
  6. Anyone know the client?
     
    • Agree Agree x 1