WEB-2028Security questions can be passed with only one valid SQ
The bug
In practice, you need 3 valid security questions to pass the location verification packet but there's a flaw, you can easily answer the packet with only 1 valid security questions.
How to reproduce
- Install a HTTP debugging PS application like Fiddler (be sure to enable decrypt on Fiddler; Tools > Options... > HTTPS > tick "Decrypt HTTPS traffic").
- Log in to your Minecraft account and fill in random stuff in the 3 security boxes, click verify identity.
- Now, go into Fiddler and you should have a traffic from https://api.mojang.com/user/security/location, click it. It should look like this:
POST https://api.mojang.com/user/security/location HTTP/1.1 Host: api.mojang.com Connection: keep-alive Accept: / Authorization: Bearer .. User-Agent: ... Content-Type: application/json; charset=UTF-8 [{"id":example1,"answer":"<the answer you gave>"},{"id":example2,"answer":"<the answer you gave>"},{"id":example3,"answer":"<the answer you gave>"}] - Copy the full request and click on the composer tab, click raw.
- Edit the request; let's say example1 is the question; what's your lucky number. Mine is 0. So, I would fill in [
{"id":example1,"answer":"0"}
. Now replace the id and fill in the same answer 3 times. Like this:
[{"id":example1,"answer":"0"},{"id":example1,"answer":"0"},{"id":example1,"answer":"0"}] - Click the execute button.
→ You've succesfully passed the security questions by knowing only 1 valid SQ.
Aftermath
Huge amount of accounts are being transferred to new emails using this method, which no owner of these accounts suspected as SQs are meant to block this (or at least make it harder). This is a serious and critical bug in the security question system/API. Also, this method is being sold for anywhere between $400-$600 in the com. I personally did not buy it as I discovered it myself by just messing with the API.
Side note: word goes around that there's a way to bypass them without any security questions but I doubt, I'll try to dig though.
