Consumer_Action_Taskforce

Minecraft Beta pre-1.8's lack of authentication: Difference between revisions

Newer edit →
VisualWikitext
Lort533 (talk | contribs)
6 edits
Added the page
 
Lort533 (talk | contribs)
6 edits
m Changed categories and small visual fixes.
Line 3: Line 3:
Affected versions covered by this article range up to July 8, 2011.
Affected versions covered by this article range up to July 8, 2011.


== Background ==
==Background==
In version Beta 1.8, Mojang has changed the endpoint that's used for authentication on Minecraft servers from "www.minecraft.net" to "session.minecraft.net". Unknown amount of time later the original endpoint used for the authentication was shut down, breaking authentication support for several old Minecraft versions, despite no actual changes in the behaviour of the endpoint. The latter endpoint still works, despite being insecure (Supports HTTP requests, with token being within the URL parameters) - this means that the shutdown is likely not a security concern.
In version Beta 1.8, Mojang has changed the endpoint that's used for authentication on Minecraft servers from "www.minecraft.net" to "session.minecraft.net". Unknown amount of time later the original endpoint used for the authentication was shut down, breaking authentication support for several old Minecraft versions, despite no actual changes in the behaviour of the endpoint. The latter endpoint still works, despite being insecure (supports HTTP requests, with token being within the URL parameters) - this means that the shutdown is likely not a security concern.


Lack of authentication has caused several Minecraft servers to:
Lack of authentication has caused several Minecraft servers to:


* lose part of the playerbase due to a need of modding the game client (and server) to fix the authentication issue,
*lose part of the playerbase due to a need of modding the game client (and server) to fix the authentication issue,
* become completely insecure by allowing non-premium Minecraft users to join (e.g. opens the risk of botting the server, or brute-forcing user login passwords),
*become completely insecure by allowing non-premium Minecraft users to join (e.g. opens the risk of botting the server, or brute-forcing user login passwords),
* break the EULA of the game due to allowing non-premium Minecraft users to join their server.
*break the EULA of the game due to allowing non-premium Minecraft users to join their server.


== Timeline ==
==Timeline==


=== Mar 30, 2014 ===
===Mar 30, 2014===
A post titled "[https://bukkit.org/threads/cant-connect-to-my-beta-1-7-3-bukkit-server.250510/ Cant connect to my beta 1.7.3 bukkit server]" has appeared on bukkit.org forums - it seems to be the earliest mention of the issue, as the forum's staff member (at the time) has stated that "[https://bukkit.org/threads/cant-connect-to-my-beta-1-7-3-bukkit-server.250510/#post-2370332 older MC versions (...) no longer authenticate properly with Mojang's servers]".
A post titled "[https://bukkit.org/threads/cant-connect-to-my-beta-1-7-3-bukkit-server.250510/ Cant connect to my beta 1.7.3 bukkit server]" has appeared on bukkit.org forums - it seems to be the earliest mention of the issue, as the forum's staff member (at the time) has stated that "[https://bukkit.org/threads/cant-connect-to-my-beta-1-7-3-bukkit-server.250510/#post-2370332 older MC versions (...) no longer authenticate properly with Mojang's servers]".


=== September 10th, 2019 ===
===September 10th, 2019===
A user named "[https://web.archive.org/web/20200414095750/https://bugs.mojang.com/browse/WEB-1429 Rhys B]" has [https://bugs.mojang.com/browse/WEB-1429 reported a lack of authentication support] for older versions of Minecraft (affecting versions preceding Beta 1.8) on Mojang's bug reporting website, where they've explained the root cause of the issue.
A user named "[https://web.archive.org/web/20200414095750/https://bugs.mojang.com/browse/WEB-1429 Rhys B]" has [https://bugs.mojang.com/browse/WEB-1429 reported a lack of authentication support] for older versions of Minecraft (affecting versions preceding Beta 1.8) on Mojang's bug reporting website, where they've explained the root cause of the issue.


=== October 25th, 2021 ===
===October 25th, 2021===
Mojang Studios has left their [https://web.archive.org/web/20211204004633/https://bugs.mojang.com/browse/WEB-1429 first note] on the issue, stating that they're "planning to work on this during the first quarter of 2022".
Mojang Studios has left their [https://web.archive.org/web/20211204004633/https://bugs.mojang.com/browse/WEB-1429 first note] on the issue, stating that they're "planning to work on this during the first quarter of 2022".


=== April 27th, 2022 ===
===April 27th, 2022===
The note [https://web.archive.org/web/20220429191927/https://bugs.mojang.com/browse/WEB-1429 has been changed], stating that they're "planning to work on this during the first quarter of 2022", where Mojang staff member (at the time) stated that "it has been pushed back slightly" (see: latest comment under the [https://web.archive.org/web/20220429191927/https://bugs.mojang.com/browse/WEB-1429 archived version of the website]).
The note [https://web.archive.org/web/20220429191927/https://bugs.mojang.com/browse/WEB-1429 has been changed], stating that they're "planning to work on this during the first quarter of 2022", where Mojang staff member (at the time) stated that "it has been pushed back slightly" (see: latest comment under the [https://web.archive.org/web/20220429191927/https://bugs.mojang.com/browse/WEB-1429 archived version of the website]).


== Current situation ==
==Current situation==
The note states that they "will look into this during October-December 2022", while the issue isn't resolved to this day. It's hard to tell whether the latest note is real or not, as the Mojang's Bug Tracker's moderator has stated that the original author has "[https://bugs.mojang.com/browse/WEB-1429?focusedId=1276309&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-1276309 added an official-looking notice without consent from bug tracker staff]", but the previous notes are likely to be real (see: April 27th, 2022 on the timeline).
The note states that they "will look into this during October-December 2022", while the issue isn't resolved to this day. It's hard to tell whether the latest note is real or not, as the Mojang's Bug Tracker's moderator has stated that the original author has "[https://bugs.mojang.com/browse/WEB-1429?focusedId=1276309&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-1276309 added an official-looking notice without consent from bug tracker staff]", but the previous notes are likely to be real (see: April 27th, 2022 on the timeline).


It's currently the most [https://bugs.mojang.com/projects/WEB/issues/WEB-1429?filter=allopenissues&orderby=watchers+DESC%2C+priority+DESC%2C+updated+DESC watched] and [https://bugs.mojang.com/projects/WEB/issues/WEB-6665?filter=allopenissues&orderby=votes+DESC%2C+priority+DESC%2C+updated+DESC upvoted] issue in the "Mojang Web Services" category, with almost 300 votes and nearly 180 viewers.
It's currently the most [https://bugs.mojang.com/projects/WEB/issues/WEB-1429?filter=allopenissues&orderby=watchers+DESC%2C+priority+DESC%2C+updated+DESC watched] and [https://bugs.mojang.com/projects/WEB/issues/WEB-6665?filter=allopenissues&orderby=votes+DESC%2C+priority+DESC%2C+updated+DESC upvoted] issue in the "Mojang Web Services" category, with almost 300 votes and nearly 180 viewers.


== Scale of the issue ==
==Scale of the issue==
Nostalgia related Minecraft servers, such as [https://puucraft.net/ PuuCraft] (6,000 players total, as stated on the website) and [https://www.retromc.org/ RetroMC] (around [https://statistics.retromc.org/ 10 players daily]) still exist and run on version Beta 1.7.3 of the game - that means they're unable to authenticate their players (whether they want to or not). Any sort of "nostalgia trips" with friends also require server and client modifications to prevent bad actors from accessing their server (assuming whitelist is enabled).
Nostalgia related Minecraft servers, such as [https://puucraft.net/ PuuCraft] (6,000 players total, as stated on the website) and [https://www.retromc.org/ RetroMC] (around [https://statistics.retromc.org/ 10 players daily]) still exist and run on version Beta 1.7.3 of the game - that means they're unable to authenticate their players (whether they want to or not). Any sort of "nostalgia trips" with friends also require server and client modifications to prevent bad actors from accessing their server (assuming whitelist is enabled).


== Community intervention ==
==Community intervention==


=== Securely fixing the game client ===
===Securely fixing the game client===
On November 2nd, 2021 user named "craftycodie" has [https://github.com/Mojang/LegacyLauncher/pull/33 made a pull request] on Mojang's GitHub repository, [https://github.com/Mojang/LegacyLauncher/ LegacyLauncher], which is Mojang's way of running older versions of Minecraft in the modern launcher, that's capable of modifying the game's behaviour - it fixes issues and incompatibilities that had appeared over time without having to re-release older versions of the game. The pull request made by "craftycodie" fixes several issues, including authentication support. It's using Mojang's latest authentication methods (only in versions older than Beta 1.8 as of now, with a suggestion of improvement), which are way more secure in comparison to the no longer working approach. Mojang has never accepted nor responded to the pull request, despite it having 30 reactions, 28 approves and 27 comments from the GitHub community.
On November 2nd, 2021 user named "craftycodie" has [https://github.com/Mojang/LegacyLauncher/pull/33 made a pull request] on Mojang's GitHub repository, [https://github.com/Mojang/LegacyLauncher/ LegacyLauncher], which is Mojang's way of running older versions of Minecraft in the modern launcher, that's capable of modifying the game's behaviour - it fixes issues and incompatibilities that had appeared over time without having to re-release older versions of the game. The pull request made by "craftycodie" fixes several issues, including authentication support. It's using Mojang's latest authentication methods (only in versions older than Beta 1.8 as of now, with a suggestion of improvement), which are way more secure in comparison to the no longer working approach. Mojang has never accepted nor responded to the pull request, despite it having 30 reactions, 28 approves and 27 comments from the GitHub community.


=== Securely fixing the game server ===
===Securely fixing the game server===
Released on October 1st, 2020 by user named "craftycodie", [https://github.com/craftycodie/OnlineModeFix OnlineModeFix] is one of the ways of fixing the authentication issue for Minecraft servers. While Mojang doesn't need to patch it, because it's easy for server owners to fix the authentication method by themselves, they didn't release any fixed server files, nor solutions to the problem.
Released on October 1st, 2020 by user named "craftycodie", [https://github.com/craftycodie/OnlineModeFix OnlineModeFix] is one of the ways of fixing the authentication issue for Minecraft servers. While Mojang doesn't need to patch it, because it's easy for server owners to fix the authentication method by themselves, they didn't release any fixed server files, nor solutions to the problem.


== Workarounds ==
==Workarounds==
While the core issue is caused by Mojang ignoring the playerbase, there are a few more or less secure ways of fixing the issue.
While the core issue is caused by Mojang ignoring the playerbase, there are a few more or less secure ways of fixing the issue.


=== Client ===
===Client===


==== Using an unofficial launcher ====
====Using an unofficial launcher====
This is the easiest, widest (and in some cases most secure) fix for the client side of the issue.
This is the easiest, widest (and in some cases most secure) fix for the client side of the issue.


Some trusted open-source Minecraft launchers such as [https://github.com/PrismLauncher/PrismLauncher/pull/443 Prism Launcher] have implemented the craftycodie's [https://github.com/Mojang/LegacyLauncher/pull/33 pull request] to their launchers. You can use them to bring back authentication to the game.
Some trusted open-source Minecraft launchers such as [https://github.com/PrismLauncher/PrismLauncher/pull/443 Prism Launcher] have implemented the craftycodie's [https://github.com/Mojang/LegacyLauncher/pull/33 pull request] to their launchers. You can use them to bring back authentication to the game.


==== Using a proxy ====
====Using a proxy====
You can proxy all requests coming from "<nowiki>http://www.minecraft.net/game/(...)</nowiki>" to "<nowiki>https://session.minecraft.net/game/(...)</nowiki>". Note that this is still less secure than the first method, unless you proxy the request to the Mojang's [https://minecraft.wiki/w/Mojang_API#Verify_login_session_on_client latest authentication method].
You can proxy all requests coming from "<nowiki>http://www.minecraft.net/game/(...)</nowiki>" to "<nowiki>https://session.minecraft.net/game/(...)</nowiki>". Note that this is still less secure than the first method, unless you proxy the request to the Mojang's [https://minecraft.wiki/w/Mojang_API#Verify_login_session_on_client latest authentication method].


==== Editing the game's source code ====
====Editing the game's source code====
You can edit the game's source code, to change the old request URL (see: using a proxy). Note that Minecraft source code is obfuscated and class/field/method names vary depending on the version of the game, so there is no strict guide on how to do it - you have to manually search for the URL to replace it or patch it for even more secure experience.
You can edit the game's source code, to change the old request URL (see: using a proxy). Note that Minecraft source code is obfuscated and class/field/method names vary depending on the version of the game, so there is no strict guide on how to do it - you have to manually search for the URL to replace it or patch it for even more secure experience.


=== Server ===
===Server===


==== Using open-source fixes ====
====Using open-source fixes====
This is the easiest fix for the server side of the issue.
This is the easiest fix for the server side of the issue.


You can use [https://github.com/craftycodie/OnlineModeFix OnlineModeFix] to fix the issue - you can use it as a plugin, or even as the launcher in the vanilla version of the server.
You can use [https://github.com/craftycodie/OnlineModeFix OnlineModeFix] to fix the issue - you can use it as a plugin, or even as the launcher in the vanilla version of the server.


==== Other ways ====
====Other ways====
For other ways to address the issue, see client workarounds. Note that the full authentication link slightly differs between client and server.
For other ways to address the issue, see client workarounds. Note that the full authentication link slightly differs between client and server.


==References==
==References==
{{reflist}}
{{reflist}}
[[Category:Name of associated product, service, website, software, product line or company goes here]]
[[Category:Software]]
[[Category:Incidents]]
Retrieved from "https://consumerrights.wiki/wiki/Minecraft_Beta_pre-1.8%27s_lack_of_authentication"