Mojira Archive
WEB-1916

Method to Bypass IP protection on AuthTokens

The exploit available with AuthTokens has been discussed quite a lot, but Mojang seemed to believe that you can't use authtokens under IP adresses other than the one where it was generated, which is supposed to be the case, however recently, after spending some time digging deeper into the recent influx of compromised accounts in the Multiplayer community, namely Hypixel, i found a workaround to this IP protection which seems to be the cause of the 100s of accounts getting compromised every day.

To put it simply, users are either getting ratted, having scripts ran on their PCs etc that copied their launcher_profiles.json file to their server somewhere. (this requires no special access like a confirmation in UAC on windows, or sudo/root in linux etc. The file is open to and easy for any program to copy.)

Basically, you first create a connection to a server, then get the program to send the launcher_profiles.json file to the server, and then you can end the script. This can be done even from websites in some cases. With that token + username + uuid + the previously obtained session token you can use the account until they change their password or hits logout in the launcher.

 

This exploit however, dosen't give access to the account on minecraft.net, or anything other than the launcher, so it dosen't really affect the Singleplayer community.

 

(I have attached a screenshot of some of the code of a malicious mod with the intention of doing this, however like i said something like this dosen't actually require installing anything on the victim's computer, however tricking someone to download a mod like this is the easy way through.)

Due to how easy this makes it to gain access to anyone's account, it should definitely be fixed somehow.

Some possible solutions are:

  • Implement 2fa, in a similar way to services like Steam.
  • Make the authtoken and other components of the launcher_profiles file be encrypted, and make them be decryped upon starting the game. (This would require rolling an update to every MC version since 1.4, or atleast for every version since 1.8.9 as those are the only versions still commonly used.
  • Completely rework how logins are handled. This one is unnessecarily complicated over the other options, in my opinion.
  • There's probably more, that is all i can think of.

Whilst the argument of "if a player gets ratted, it is their issue" exists, the user shouldn't be to blame in a case like this where there is a very clear security breach in the service.

If discord stored a code in it's files that instantly gave access to your account, and that wasnt encrypted or secured, they would likely fix it (just like pretty much every other service, discord is just an example), even though technically the only way to take advantage of it is by getting malware of some kind on your pc.

I hope this can get resolved as it is hitting all of the Multiplayer community, and it is causing countless issues to mc minigames larger than a lot of standalone games.

(Yes, Hypixel are aware of this, and so are most other servers, but there isn't really anything a server can do in this case) Also, no i'm not affiliated with hypixel, to avoid any confusion.

 Thanks for your time,
Erik

 

 

Fixed

Erik Kunz

2020-01-27, 08:40 PM

2024-07-15, 10:45 AM

2024-07-15, 10:45 AM

4

6

918714