

Minecraft Migrated Account Session Vulnerability Security Advisory - wedtm
https://gist.github.com/3115176

======
pilif
I see no mention of notifying Mojang. And even if they did and Mojang is late
with patching, I don't think it's very nice to post a public report on a
weekend. Mojang is still a comparably small company and I'm sure nobody there
is thrilled about fixing security flaws over the weekend.

This is, IMHO, not totally what I would call responsible disclosure.

~~~
Smerity
It's unlikely the case here but responsible disclosure is not always so simple
and can make 0-day public disclosure a "reasonable response".

I have heard of cases where informing the company of a vulnerability and
telling them "I will publicly disclose the vulnerability in N days" has
resulted in security researchers being taken to court as a "blackmail
attempt". Annoyingly I can't find the case I'm thinking of (though I've found
numerous other unsettling ones such as [1]) but will update this comment if I
do. One example of such madness is Dmitry Sklyarov[2] who was arrested under
the DMCA's anti-circumvention laws for revealing that an e-book vendor used
ROT13 to encrypt their documents.

A useful introduction to the complexity of public and responsible disclosure
can be seen at the EFF's Vulnerability Reporting FAQ[3].

[1]: [http://www.scmagazine.com.au/News/276780,security-
researcher...](http://www.scmagazine.com.au/News/276780,security-researcher-
threatened-with-vulnerability-repair-bill.aspx)

[2]: <http://en.wikipedia.org/wiki/Dmitry_Sklyarov>

[3]: [https://www.eff.org/issues/coders/vulnerability-reporting-
fa...](https://www.eff.org/issues/coders/vulnerability-reporting-faq)

~~~
rmc
Yes, that approach is the wrong approach. "Responsible Disclosure" works both
ways. The company with the software gets the vulnerability before the public,
but they have to not try to sue/prosecute the security researcher. If
companies are known to attack security researchers like you mention, then they
can forget about responsible disclosure. Those companies will find out about
vulnerabilities in the newspapers. Can't have your cake and eat it.

------
alt_
"UPDATE: Woohoo! Things are back up and running perfectly! Thank you all for
being patient while things were fixed. Also major props to Grum, Dinnerbone,
and Leo who were out of bed and in to action in the blink of an eye!"[0]

[0] <http://www.mojang.com/2012/07/houston-we-have-a-problem/>

------
buttscicles
I'd have thought ensuring a session ID was only valid for a single account
would have been the first thing to test when developing an authentication
system. Perhaps not in Sweden.

~~~
mollstam
Yes, because it was clearly not a bug.

~~~
buttscicles
It's obvious it was a bug introduced somewhere, (actually seemed like
something was commented out for testing purposes and was forgotten about to
me, maybe that's just because I'm forgetful though) but I'd have hoped there
are a few tests that are run before an update is made live which would include
something like this.

Props for the speedy fix though.

