Vulnerability with your support team, allowing impersonators to permanently suspend accounts.

I come to you first of all, with sincere apologies. Some of what is about to be shown is intentionally provocative, and is far from a portrayal of myself and is instead a necessary evil to prevent future misuse of this vulnerability.

As you most likely do not know, but can verify, I often spend my free time testing your support team, as well as other sites/applications related, to identify vulnerabilities.

Minecraft is a game I hold dearly to my heart, and having known many a person on the receiving end of recent exploits, I'm taking my own action against them.

Before I dive into details, I'd like to request I'm not judged or held against my actions here, for again I did them purely for demonstration purposes as obscenity is required to invoke the response this vulnerability depends on. 

I'm familiar with protocols in place to suspend/deactivate accounts which're in violation of your End User License Agreement, as well as accounts that are compromised. These are typically identified by suspicious activity, or by user reports from those affected.

However, as I have had prior success manipulating your support agents into altering other's accounts, I had a theory: If I impersonate an account owner, and provoke your support agents in such a way as to reveal I am in violation of the EULA (to any degree), then I could trigger these consequences upon others I have no affiliation with.

Why is this important? If my theory proved true (which it did), anyone with any extent of grudge, could simply pretend to be somebody else and bring about severe consequences. EULA-violating accounts may not be freed from their position, regardless of any support efforts (I've tried to remove EULA-violation suspensions before, it isn't possible)

As a case scenario, I could have a grudge against a person, and all it would take is me to create a convincing email to yourself acting as them, and claiming I violated EULA, and then they would lose their account permanently. This could be performed against anyone from the average user to YouTubers, server owners, or perhaps even Mojang-affiliates.

Now, unfortunately, in order to test this I need a 'victim' of which I have no affiliation, to verify to yourselves that this could be performed against anyone even if you do not have any evidence you are them, while impersonating them.

I am familiar with a character known as Oval, someone within the Minecraft community who is somewhat associated with you guys, here at Mojira. 

I picked Oval as I had confidence his affiliation could undo the damage onto his account, should I not be able to do so successfully here. 

Sure enough, within a few days of emailing your support team, his account was suspended permanently for EULA-violation, despite me having no affiliation or involvement with himself, as well as no proof or evidence to suggest I am truly him.

You may verify my activity on Request #1728419.

I will remind you, I am not Oval and I have no affiliation with him. The email address, and all contents of any exchanges, are entirely impersonations and the action taken against his account should be reverted as soon as possible. I have also attached screenshots for your convenience. 

Taking the necessary assumption that this may have been a one-off success, I took further action against other accounts to test for similar results, “Molly” and “Jam”, "Nrp123" and "Lord" (I sent a lot of tickets because replies are slow and inconsistent, with a larger quantity of targets a higher percentage would get replies quickly) which garnered the exact same response; a permanent suspension. This too should be revoked. Almost amazed by the results of this, as each time it was quick and easy; I felt it necessary to test the furthest extents, and so did the exact same thing to the following accounts: “Steve”, “Herobrine” and “Cat” as these are all very famous accounts and if I’m able to impersonate them, then that highlights the extremity that this vulnerability works to.

Beyond that, though, what should be done to fix this?
I realise social engineering isn't possible to prevent entirely, it oftentimes involves leaked information on users which could provide solid evidence that the speaker is the account owner.

My suggestion is this: ANY email exchanges, or acclaimed activity, from an email address with no association to the account should be exempt from consequence on an account.

Meaning, if I were to impersonate Oval again, and email you in the way I did, your representatives should first verify the email address I'm using is associated to the account, otherwise you should (in all case scenarios) ignore the information provided, as while it may be the account owner it is more likely an impersonation attempt. This is a recommendation purely relating to scenarios wherein a person reveals in any form they violated your terms and conditions.

I follow people within the Minecraft buying and selling community closely, and if familiarised with this vulnerability may intentionally target innocent users in a manner similar to how I did here, resulting in dozens of cases of unfair consequence.

I hope my findings are useful in improving your support’s security, and I hope the harshness required within tickets is forgiven, as I am truly sorry and have the upmost respect for your employees.

It is up to you now to undo my damage, and improve systems to prevent misuse of this concept in future. Thank you for your time and attention.

P.S apologies for how long this is, it’s difficult to condense.