Update: The man-in-the-middle attack described in this post is now ineffective as it was fixed in Minecraft 1.3, but the solution still works if you desire extra security.
A “session stealer” exploit in Minecraft is now being used increasingly widely to gain operator privileges on a target server. Anyone with the ability (or the freely available tools) can impersonate another user, which comes in handy to gain elevated privileges on a given server. The underlying exploit is actually extremely old, and while a small number of people have long been aware of it, news broke to the greater community recently and now it is a real relevant concern. On the flip side, the bug will finally be fixed (after three years) with the release of Minecraft 1.3. Hooray public disclosure.
But I don’t want to wait for a fix
If you run a server, it’s understandable that you would want a fix now. You can ensure that you don’t expose your own account, but you also have to ensure that your own moderators do not either. That can be harder than it sounds, especially depending on who you are working with, and so some — even minor — protection to use would be nice. Unfortunately, it is not possible to fix the problem from just the server’s side, and so people have attempted to work around the problem by using a mix of some rather inconvenient solutions (mostly involving a /login command). Instead, I decided on a different novel way to protect the accounts of my moderators, described below.
- It doesn’t require any client-side changes;
- It is a one-time setup for everyone;
- It completely fixes the exploit for your server;
- And it is grossly simple to setup.
All it requires is that everyone that you want to protect to switch to connecting with a secret server address instead. This solution exploits the fact that, when you connect to a Minecraft server, the address used is sent to that server. If your friend has a special address to use, and someone foreign tries to login to the server without that special address, the server has a clear indication that your friend is not really your friend. Some examples of address that you can use include:
- noHeY.example.com
- zqTPa.example.com
- 5v9h0.example.com
- nmJka.example.com
When an attacker tries the exploit:
So, how do I actually use this?
Before you setup the Minecraft server, you have to first set up the secret domains. There are, fortunately or unfortunately, a dozen different ways to do this, all depending on your particular setup. While I can’t delve deep into this in this post, I can recommend that you setup a wildcard DNS entry if possible, so all subdomains (*.example.com) get sent to your server. That way, an attacker can’t so easily guess domains and test their guesses. Another option, however, is to use your computer’s “hosts file” (search this up) in order to manually map any domain, even one that you do not own, to point to a certain IP address. This latter option is the safest, but it is also does require a bit more work from everyone involved.
On the Minecraft server side of this fix, I have added a check feature into WorldGuard (Bukkit required) that lets you check the connecting address of certain players, which you can apply to the accounts of your moderators. Download the latest version, and then setup your plugins/WorldGuard/config.yml to look like:
Be aware that this is, however, not a proper fix. It will protect a server, but it will not protect an account. If a session gets stolen, the attacker would not be able to use it on your server, but the account can be used on any other server. There is nothing much a server owner can really do (besides more drastic measures) and we are all waiting on Mojang to properly fix this problem.
