Minecraft Beta pre-1.8's lack of authentication
Minecraft is a video game made by Mojang Studios (owned by Microsoft and Xbox Game Studios since 2014). It was officially released on 18th September 2011, but development builds were publicly available since 17 May 2009.
Affected versions covered by this article range up to July 8, 2011.
Background
In version Beta 1.8, Mojang has changed the endpoint that's used for authentication on Minecraft servers from "www.minecraft.net" to "session.minecraft.net". Unknown amount of time later the original endpoint used for the authentication was shut down, breaking authentication support for several old Minecraft versions, despite no actual changes in the behaviour of the endpoint. The latter endpoint still works, despite being insecure (supports HTTP requests, with token being within the URL parameters) - this means that the shutdown is likely not a security concern.
Lack of authentication has caused several Minecraft servers to:
- lose part of the playerbase due to a need of modding the game client (and server) to fix the authentication issue,
- become completely insecure by allowing non-premium Minecraft users to join (e.g. opens the risk of botting the server, or brute-forcing user login passwords),
- break the EULA of the game due to allowing non-premium Minecraft users to join their server.
Timeline
March 30th, 2014
A post titled "Cant connect to my beta 1.7.3 bukkit server" has appeared on bukkit.org forums - it seems to be the earliest mention of the issue, as the forum's staff member (at the time) has stated that "older MC versions (...) no longer authenticate properly with Mojang's servers".
September 10th, 2019
A user named "Rhys B" has reported a lack of authentication support for older versions of Minecraft (affecting versions preceding Beta 1.8) on Mojang's bug reporting website, where they've explained the root cause of the issue.
October 25th, 2021
Mojang Studios has left their first note on the issue, stating that they're "planning to work on this during the first quarter of 2022".
April 27th, 2022
The note has been changed, stating that they "will look into this during summer 2022", where Mojang staff member (at the time) stated that "it has been pushed back slightly" (see: latest comment under the archived version of the website).
Current situation
The note states that they "will look into this during October-December 2022", while the issue isn't resolved to this day. It's hard to tell whether the latest note is real or not, as the Mojang's Bug Tracker's moderator has stated that the original author has "added an official-looking notice without consent from bug tracker staff", but the previous notes are likely to be real (see: April 27th, 2022 on the timeline).
It's currently the most watched and upvoted issue in the "Mojang Web Services" category, with almost 300 votes and nearly 180 viewers.
Scale of the issue
Nostalgia related Minecraft servers, such as PuuCraft (6,000 players total, as stated on the website) and RetroMC (around 10 players daily) still exist and run on version Beta 1.7.3 of the game - that means they're unable to authenticate their players (whether they want to or not). Any sort of "nostalgia trips" with friends also require server and client modifications to prevent bad actors from accessing their server (assuming whitelist is enabled).
Community response
Securely fixing the game client
On November 2nd, 2021 user named "craftycodie" has made a pull request on Mojang's GitHub repository, LegacyLauncher, which is Mojang's way of running older versions of Minecraft in the modern launcher, that's capable of modifying the game's behaviour - it fixes issues and incompatibilities that had appeared over time without having to re-release older versions of the game. The pull request made by "craftycodie" fixes several issues, including authentication support. It's using Mojang's latest authentication methods (only in versions older than Beta 1.8 as of now, with a suggestion of improvement), which are way more secure in comparison to the no longer working approach. Mojang has never accepted nor responded to the pull request, despite it having 30 reactions, 28 approves and 27 comments from the GitHub community.
Securely fixing the game server
Released on October 1st, 2020 by user named "craftycodie", OnlineModeFix is one of the ways of fixing the authentication issue for Minecraft servers. While Mojang doesn't need to patch it, because it's easy for server owners to fix the authentication method by themselves, they didn't release any fixed server files, nor solutions to the problem.
Workarounds
While the core issue is caused by Mojang ignoring it, there are a few more or less secure ways of fixing the issue.
Client
Using an unofficial launcher
This is the easiest, widest (and in some cases most secure) fix for the client side of the issue.
Some trusted open-source Minecraft launchers such as Prism Launcher have implemented the craftycodie's pull request to their launchers. You can use them to bring back authentication to the game.
Using a proxy
You can proxy all requests coming from "http://www.minecraft.net/game/(...)" to "https://session.minecraft.net/game/(...)". Note that this is still less secure than the first method, unless you proxy the request to the Mojang's latest authentication method.
Editing the game's source code
You can edit the game's source code, to change the old request URL (see: using a proxy). Note that Minecraft source code is obfuscated and class/field/method names vary depending on the version of the game, so there is no strict guide on how to do it - you have to manually search for the URL to replace it or patch it for even more secure experience.
Server
Using open-source fixes
This is the easiest fix for the server side of the issue.
You can use OnlineModeFix to fix the issue - you can use it as a plugin, or even as the launcher in the vanilla version of the server.
Other ways
For other ways to address the issue, see client workarounds. Note that the full authentication link slightly differs between client and server.