Recently, the servers of Mojang’s extremely popular social video game Minecraft suffered an exploit that allowed users to log in as anyone they desired. Unlike the usual news of hacks, this didn’t mean that anyone gained access to databases of sensitive information or exfiltrated usernames and passwords; instead the exploit allowed users to log into the servers and pretend to be someone else.

“The hack does not expose your passwords or other personal details”, Minecraft creator Marcus “Notch” Persson wrote on Twitter, “it only let you log in as anyone by doing something with the session it.”

The exploit was quickly announced and just as quickly patched by Mojang and now their servers are running normally again,

We are aware of the security issues (people using others’ usernames NOT any leak of passwords or personal information) involved with the Minecraft authorization servers and are currently working to fix it…

UPDATE: Woohoo! Things are back up and running perfectly! Thank you all for being patient while things were fixed. Also major props to Grum, Dinnerbone, and Leo who were out of bed and in to action in the blink of an eye!

According to sources across the Internet about people attempting the exploit, it involved migrating an account from Minecraft proper to a Mojang account and this accidentally enabled the authentication servers to permit players to login as anyone else. It’s unknown if this gave people access to the items in the inventory of the person they logged in as—or if it just produced a doppelganger. In some instances the impersonated Notch did have admin or moderator privileges on certain servers.

People immediately started using the exploit to log in as Notch to Minecraft servers—as everyone knows imitation is the greatest form of flattery—and this is exactly what probably caught the initial exploit. In fact, some YouTube videos appeared showing off the exploit in use.

Identity as authentication on networks and virtual worlds

Identity in general is very important in cyberspace. When people have their accounts hacked, especially on social media, they’re not looted for their contents as much as hijacked for their ability to access other people. Some of the most insidious Facebook account hacks have been when a hostile party took control of the account and attempted to impersonate the user there. The attacker then pretended to be that person stranded in a foreign country in order to scam money out of friends and family.

Sophisticated authentication social engineering leaves friends and networks vulnerable to attackers pretending to be authorized parties.

In the context of social media and online communities often the only thing between a person and everyone else is their avatar, name, and profile connected to that account. Granular mechanisms for proving identity have been generated for more confidential environments (including re-entering password or supplying a signed public key) to alleviate these sorts of social engineering tricks; but they’re not common in highly informal environments such as Minecraft.

In the case of the account hijack on Facebook many impersonators are found out when they fail to behave like the account they’re impersonating—these are essentially social identity and authentication standards—but in environments where attackers receive everything they need from a network to dopplegang the account there may be little way to tell the difference without external authenticators as mentioned previously.

Meanwhile, the impersonation exploit may be fixed; but be sure to quiz any Notch who appears on your server. It may yet not be the famous Minecraft Notch after all.