I see no mention of notifying Mojang. And even if they did and Mojang is late with patching, I don't think it's very nice to post a public report on a weekend. Mojang is still a comparably small company and I'm sure nobody there is thrilled about fixing security flaws over the weekend.
This is, IMHO, not totally what I would call responsible disclosure.
Team Avolition is a griefing group that commonly targets Minecraft-- I'm surprised that they're releasing the exploit at all.
From @notch: "We took down the auth servers until they've been fixed. I'll pass on everything I learn about what's going on, just woke up. #groggy"
"Also, in the future, if hackers could please not find exploits in the middle of the night on weekends, that would be great, mk?"
It seems like there exists a simple temporary fix for servers—to not use minecraft authentication, which seems like a very viable temporary solution while this exploit gets the proper attention. (such as x-auth that the author mentions or the server immediately asking the user to enter a password when connected via console)
It's unlikely the case here but responsible disclosure is not always so simple and can make 0-day public disclosure a "reasonable response".
I have heard of cases where informing the company of a vulnerability and telling them "I will publicly disclose the vulnerability in N days" has resulted in security researchers being taken to court as a "blackmail attempt". Annoyingly I can't find the case I'm thinking of (though I've found numerous other unsettling ones such as [1]) but will update this comment if I do. One example of such madness is Dmitry Sklyarov[2] who was arrested under the DMCA's anti-circumvention laws for revealing that an e-book vendor used ROT13 to encrypt their documents.
A useful introduction to the complexity of public and responsible disclosure can be seen at the EFF's Vulnerability Reporting FAQ[3].
Yes, that approach is the wrong approach. "Responsible Disclosure" works both ways. The company with the software gets the vulnerability before the public, but they have to not try to sue/prosecute the security researcher. If companies are known to attack security researchers like you mention, then they can forget about responsible disclosure. Those companies will find out about vulnerabilities in the newspapers. Can't have your cake and eat it.
A different set of blackhats "Team Nodus Griefing" had it before the gist was up and fell into a honeypot (with packet capture to find the exploit) set by Mojang's Bukkit team and the reddit mods: http://www.reddit.com/r/Minecraft/comments/wl0zy/psa_exploit...
So I don't think this was meant to be responsible disclosure, it was more laying out the facts to get some internet cred ;)
"UPDATE: Woohoo! Things are back up and running perfectly! Thank you all for being patient while things were fixed. Also major props to Grum, Dinnerbone, and Leo who were out of bed and in to action in the blink of an eye!"[0]
I'd have thought ensuring a session ID was only valid for a single account would have been the first thing to test when developing an authentication system. Perhaps not in Sweden.
It's obvious it was a bug introduced somewhere, (actually seemed like something was commented out for testing purposes and was forgotten about to me, maybe that's just because I'm forgetful though) but I'd have hoped there are a few tests that are run before an update is made live which would include something like this.
15 comments
[ 2.8 ms ] story [ 40.3 ms ] threadThis is, IMHO, not totally what I would call responsible disclosure.
From @notch: "We took down the auth servers until they've been fixed. I'll pass on everything I learn about what's going on, just woke up. #groggy" "Also, in the future, if hackers could please not find exploits in the middle of the night on weekends, that would be great, mk?"
I have heard of cases where informing the company of a vulnerability and telling them "I will publicly disclose the vulnerability in N days" has resulted in security researchers being taken to court as a "blackmail attempt". Annoyingly I can't find the case I'm thinking of (though I've found numerous other unsettling ones such as [1]) but will update this comment if I do. One example of such madness is Dmitry Sklyarov[2] who was arrested under the DMCA's anti-circumvention laws for revealing that an e-book vendor used ROT13 to encrypt their documents.
A useful introduction to the complexity of public and responsible disclosure can be seen at the EFF's Vulnerability Reporting FAQ[3].
[1]: http://www.scmagazine.com.au/News/276780,security-researcher...
[2]: http://en.wikipedia.org/wiki/Dmitry_Sklyarov
[3]: https://www.eff.org/issues/coders/vulnerability-reporting-fa...
Especially given the fact that Notch and Mojang have played Quake with Team Avo members.
A different set of blackhats "Team Nodus Griefing" had it before the gist was up and fell into a honeypot (with packet capture to find the exploit) set by Mojang's Bukkit team and the reddit mods: http://www.reddit.com/r/Minecraft/comments/wl0zy/psa_exploit...
So I don't think this was meant to be responsible disclosure, it was more laying out the facts to get some internet cred ;)
[0] http://www.mojang.com/2012/07/houston-we-have-a-problem/
Props for the speedy fix though.