Summary
Impersonation of other users (passing XBOX Live authentication) by theft of logins in PocketMine-MP
Technical details
click to expandBasics
- The client generates a private ECC key
clientPrivwhich it uses to complete ECDH for encryption. - A JWT containing the public key
clientPubcorresponding to this key is signed by Microsoft servers with the Mojang root public keymojangPub. - The server verifies that the token was issued by Microsoft servers by verifying the JWT signature with
mojangPub.
Why this is a problem
However, this only ensures that the token was issued by Microsoft. It does not ensure that the client actually possesses the private key corresponding to the public key in the token.
In a login replay attack, the attacker sends a login captured from another session. This login is valid because it is verifiable by mojangPub; however, without encryption, the server doesn't know that the client actually possesses clientPriv, and the authenticity of the client cannot be verified.
How encryption prevents the attack
- The server calculates a shared secret for encryption using ECDH of
serverPrivandclientPub. - It then signs a return token using
serverPrivand sends this to the client, along withserverPub. - The client then verifies the JWT using
serverPub, and calculates the same shared secret as the server usingclientPrivandserverPub.
If the client does not possess clientPriv (i.e. because it replayed a stolen login), then the session cannot proceed once encryption is enabled, since the client cannot calculate the shared secret needed to decrypt the server packets and encrypt its own packets.
Since PM3 does not implement protocol encryption, this means that ALL versions of PM3 are affected by this login stealing attack.
How does the attacker capture a login in the first place?
The typical way to do this would be to trick a player into joining a server controlled by the attacker. This would allow the attacker to grab the login from the connection and store it for future use.
Are the logins valid forever?
No. All the JWTs have expiry dates after which they cannot be used. These expiry dates are typically 2-3 days after the token was issued by XBOX servers. PocketMine-MP 3.x does verify these expiry dates, so the use-by dates of these attacks are limited.
Workarounds
- Use a proxy that supports encryption such as gophertunnel between your server and players. Make sure that the server only accepts connections from the proxy. If the proxy is on the same machine as the server, you can use
server-ip=127.0.0.1to ensure that only the proxy can create connections for you.
The following things may help mitigate the problem:
- Verify that the
LoginPacketserverAddressfield is the same as the server's exposed domain name. For example: https://github.com/JustTalDevelops/AntiLoginForger
WARNING: THIS DOES NOT SOLVE THE ROOT ISSUE. YOU WILL REMAIN VULNERABLE UNLESS YOU UPGRADE.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Impact
Minecraft Bedrock authentication and its protocol encryption are inseparably linked. One is not complete without the other.
This vulnerability affects servers which are able to be directly connected to via the internet (i.e. not behind a proxy).
If you are using a proxy, please check that it supports protocol encryption and that it is enabled.
GHSA-H79X-98R2-G6QC has a CVSS score of 4.7 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.0.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
This problem has been fixed in all 4.x versions by implementing Minecraft protocol encryption.
This has not yet been addressed on 3.x, but since this vulnerability is already public knowledge, the advisory has been released early to make sure people are aware of it and the mitigation steps they can take.
Update 2022-01-22: This has been fixed on 3.x by d28be4eaf24a890f7ef110a51181a3d806a6acca.
Frequently Asked Questions
- What is GHSA-H79X-98R2-G6QC? GHSA-H79X-98R2-G6QC is a medium-severity security vulnerability in pocketmine/pocketmine-mp (composer), affecting versions >= 3.0.0, < 4.0.0. It is fixed in 4.0.0.
- How severe is GHSA-H79X-98R2-G6QC? GHSA-H79X-98R2-G6QC has a CVSS score of 4.7 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of pocketmine/pocketmine-mp are affected by GHSA-H79X-98R2-G6QC? pocketmine/pocketmine-mp (composer) versions >= 3.0.0, < 4.0.0 is affected.
- Is there a fix for GHSA-H79X-98R2-G6QC? Yes. GHSA-H79X-98R2-G6QC is fixed in 4.0.0. Upgrade to this version or later.
- Is GHSA-H79X-98R2-G6QC exploitable, and should I be worried? Whether GHSA-H79X-98R2-G6QC is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-H79X-98R2-G6QC is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-H79X-98R2-G6QC? Upgrade
pocketmine/pocketmine-mpto 4.0.0 or later.