Mojira Archive
WEB-3576

New api dangerous vulnerabilities

Hello,

Recently I noticed that an entirely new api was implemented for java edition. However, I have noticed some vulnerabilities within this api and I have already observed them being exploited. These vulnerabilities affect the account security of users account information, such as saved payment methods on Minecraft accounts and other private information you can only see with verified access to your own account. Also, the way that name changes work now has opened up the potentiality for exploits and one of them being the ability to duplicate the same name on at least two accounts. 

1. Name duplication - This endpoint allows a user with a redeemed Minecraft: java edition gift code on their account to create a Minecraft profile. 

https://api.minecraftservices.com/minecraft/profile
Headers;
Accept: application/json
Authorization: Bearer [JWT/auth token here]
As the POST body, simply supply your desired username.

{ "profileName" : "Desired_IGN" }

The issue with using this end point on an account that has redeemed a Minecraft: java edition gift code on their account, is that if you spam create a profile with the desired name for example a name that is dropping, is that you can claim a name even if someone else has claimed by NAME changing to it as it has dropped. This bug of name duplication after the NEW api was implemented has happened once as far as I know for the Minecraft accounts with the username "sundae". Both uuid 84411aad35ac496abc646d76c07b854d and uuid 56778399e9874150a21da56c1839cf2b currently have the same username because of this name duplication bug. Although, I would go as far as calling it an exploit since it only seems possible if you are purposely spamming the end point to create a profile on the account that has redeemed a gift code.

2. Almost full access or verified access to a Minecraft: Java edition account for about a minute. - With this end point, you can verify an account as if you have answered the security questions, for around a minute. Even if it's a partial access account or not your own account. For this you have to send a post/get request to one of the three security question flow end points and you will be verified for either 86400 milliseconds or seconds. If seconds, that's a 24 hour verification and very dangerous. Either:
https://api.mojang.com/user/security/challenges
or https://api.mojang.com/user/security/location

Once verified, you can view all information on https://api.mojang.com/user such as date of birth. You can also view stored credit card information (a bit redacted) on https://api.mojang.com/creditcards .

I think that both of these bugs/exploits are quite dangerous and I hope that my report can be viewed soon . Thank you!

Edit: New dupe using method #1, "Helllo" ba5d76c5d2fb41c488e7f54552632f7d and 7211ae0bdb3f4680ae7cb34f2c4befc0 , New dupe using method #1 12/05/2020 8f472e7e74da44f1af068822ba874a37 and 228695a1f5ef4565bd499cc687245309

Fixed

John Smith

[Mojang] Web Team

2020-12-04, 10:19 PM

2022-06-13, 01:11 PM

2022-06-13, 01:11 PM

0

1