Is Session Stealer Exploit Fixed??????

Discussion in 'Bukkit Discussion' started by APhilosopher, Jul 15, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    APhilosopher

    im being told by players of my server that is the reason for the down time earlier/yesterday was to patch this exploit, i have googled my butt off and this is all i have found relating to this issue

    http://twitter.com/xlson/status/224444654421164032

    https://twitter.com/#!/search/#minecraft

    http://www.minecraftforum.net/topic...porarily-offline-fix-for-exploit-in-progress/

    http://www.minecraftforum.net/ <-- front page news atm

    http://www.reddit.com/r/Minecraft/comments/wl0zy/psa_exploit_in_minecraft_login_server_hackers_can/



    so am i to assume this means the session stealer exploit has been FIXED? so i can now log on to any server and have no fear for my account or my own servers security?

    the main reason for my confusion here is it is very hard for me to consider twitter as an official source of information in any regard, even minecraft, yet that is the only (semi) official source i was able to find regarding this,

    typicaly when it comes to minecraft news the source i consider most official and trusted is here. www.bukkit.org yet i see no mention of this fix on here and i see all the authme plugins which attempted to fix this via workaround ar still active and being developed.

    so i pose this question to you experts here on bukkit, please reassure me, has the session stealer exploit been fixed?

    (sorry if i rambled on excessivly over a single simple question :D xD)
     
  2. Offline

    c0mp

  3. Offline

    Jade

  4. Offline

    c0mp

    I'm sure there are other ways, yes, but the one that caused all the hub-bub, partly *because* it was not a MITM attack, was addressed.
     
  5. Offline

    Jade

    Yea, But he was asking about the MITM Which, is Session Stealer. At least, that's what I read.
     
  6. Offline

    c0mp

    Perhaps I misunderstood then. It looked like most of his links were referencing the Mojang converted account bug, so I assumed that's what was being referred to. Bottom line though, the one that everyone's been talking about for the past few days was fixed, yes. But as with just about any other software/service, where there's a will, there's unfortunately almost always a way. :p
     
  7. Offline

    APhilosopher

    the session stealer method was the only one i was aware of xD so it sounds like they patched a different issue this time one that i didnt even know about, yet the session stealer method has not been patched yet,

    am i understanding that right?

    so i still need to be cautious to not log onto servers i do not trust, amiright?

    this is sad cause i used to log onto bout 10 new servers every day, i was trying to surf the competition so to speak, yet when i found out about the session stealer issue back in april that all stoped, since april i have not logged on to any server other then my own, for fear of my account security, and i am commited to remain on my own server alone until session stealer is fixed,

    and i am very very anxious for it to be fixed,

    hence why im trying so hard to find out what the status of that is

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 27, 2016
  8. Offline

    c0mp

    Your first Twitter link, both minecraftforum.net links, the Reddit article, and the Mojang link that I posted are all regarding the Mojang converted account bug, which is what Mojang brought down the auth servers and worked so diligently this morning to address. They noted in the Reddit article that investigation of the connection showed that it wasn't your typical session stealing exploit:
    You should always be cautious of where you're sending secure credentials. :)
     
  9. Offline

    APhilosopher

    i had thought the only place my secure credentials were sent WAS the minecraft auth servers and they simply give permission to online mode servers to allow me to log on after verifing my pw

    this way i could log into any server and the only server actualy handling my secure information IS minecraft.net,

    so you are telling me that when logging into a server enough info is made available to that server to decipher my secure credentials?
     
  10. Offline

    LEOcab

    Naw. They can't get your password, but they can log into any server without it by freezing your session and then resuming it with a special hacked client to connect to another server. At least that's how someone explained it to me.
     
  11. Offline

    Toxic__Waste

    as you can read this latest attack was on mojang and the migration of user names they say that was fixed..remember this is an open source game and there will always be risks as server owners my suggestion to you is admin and own on one name and have another thats has no power on your server to run on other servers i did have an ass addy an ip on my server and i did go there and yes they came back i was deoped and they were oped I knew of the session stealing I was just pissed lol luckily i was at the console deoped them fast and jailed them I was able to laff at them at that point before banning their ip..but i will never use my owner/admin name to ever go on other servers again its not worth it...just like you download mods to protect your server they can have mods to steal
     
  12. Offline

    TnT

    For the MITM attack to be corrected, it requires a client fix.

    The snapshots have this fix in place already.
     
  13. Offline

    sillyrosster

    Meaning it still works on 1.2.5 :(
     
  14. Offline

    APhilosopher

    so as i had thought, the proper function of minecraft DOES NOT allow any server to handle any secure credentials and this Session stealer exploit is a matter of servers handling a secure credential which it should not have to handle/or should not be considered a secure credential yet is.

    the short answer seems to be, no it isnt fixed yet, yes it will be eventualy, and after it is it will again be safe to surf other servers, that is until a whole new exploit appears as it likely will.

    and yeah im gonna be buying a whole new account just so i can ressume server surfing
     
  15. Offline

    c0mp

    I should mention that my statement above regarding secure credentials was more of a general warning about where you think you're logging into, whether it be a Minecraft server, banking website, etc.

    In the case of Minecraft specifically, your actual credentials are sent to the Minecraft auth servers, who tell the server that you're logging into that it's cool to let you in (an abstraction of your credentials).
     
  16. Offline

    APhilosopher

    awesome thank you for your help clarifieing this, i have linked this thread from our own forums for our server to aid the players in understanding the risk involved

    thank you everyone :D
     
Thread Status:
Not open for further replies.

Share This Page