Hi all,
Unfortunately, AHG was notified of two separate vulnerabilities that may have resulted in unauthorized access to our users' IP addresses. In accordance with Responsible Disclosure principles, we are committed to being as transparent as possible with these incidents after we've confirmed their remediation. This delay is necessary because vulnerability announcements usually lead to an uptick in bad actors attempting to find similar existing vulnerabilities. This means we have to not only fix the reported vulnerability, but also verify that it doesn't exist anywhere else.
TTT Vulnerability
Minecraft Vulnerability
On behalf of AHG, I apologize for these incidents. We take our users' privacy very seriously, and we will be implementing new development protocols to prevent these incidents from happening again.
If you have any questions, please feel free to post them here or DM me via Discord.
~Pierogi
Unfortunately, AHG was notified of two separate vulnerabilities that may have resulted in unauthorized access to our users' IP addresses. In accordance with Responsible Disclosure principles, we are committed to being as transparent as possible with these incidents after we've confirmed their remediation. This delay is necessary because vulnerability announcements usually lead to an uptick in bad actors attempting to find similar existing vulnerabilities. This means we have to not only fix the reported vulnerability, but also verify that it doesn't exist anywhere else.
TTT Vulnerability
- On September 27th, @Temar was notified of a vulnerability that allowed any user connected to our TTT server to access the IP address of any other connecting or disconnecting user in their session.
- The source of this issue was a part of AHG's custom codebase that was being used on all of our TTT servers since their launch.
- The vulnerability was identified and fixed within one hour of AHG being notified about its existence, but it took until today for us to review the entire codebase to confirm that there are no other vulnerabilities similar in origin.
- The vulnerability itself was not easy to find, and required use of third party tools to extract information from the game.
- We are not able to confirm if anyone exploited this vulnerability.
Minecraft Vulnerability
- On October 2nd, I was notified of a data leakage that was logging the IP addresses of every connecting Minecraft player to a third-party Discord.
- The source of this issue was a Minecraft plugin that logged server console information to Discord channels. When we received the Minecraft plugins and configs from the original host, Temar and I were unaware that this logging would be included.
- The leak was fixed within an hour of it being reported on the forums and a third director verified that the logs had been deleted.
- The only two people that had access to these logs before they were deleted are Nathan776 and Jabba/Ethan.
- We are informing the community about this in compliance with GDPR. We believe that the purpose of the logging was legitimate and proper while Nathan ran the server, but both parties seemed to be unaware that the logging would continue when the server content was transferred to AHG's own Minecraft server.
On behalf of AHG, I apologize for these incidents. We take our users' privacy very seriously, and we will be implementing new development protocols to prevent these incidents from happening again.
If you have any questions, please feel free to post them here or DM me via Discord.
~Pierogi