Important Responsible Disclosure Announcement

Dark Pierogi

Special Properations
Director
Developer
Prestigious
VIP
Legacy
Hi all,
Unfortunately, AHG was notified of two separate vulnerabilities that may have resulted in unauthorized access to our users' IP addresses. In accordance with Responsible Disclosure principles, we are committed to being as transparent as possible with these incidents after we've confirmed their remediation. This delay is necessary because vulnerability announcements usually lead to an uptick in bad actors attempting to find similar existing vulnerabilities. This means we have to not only fix the reported vulnerability, but also verify that it doesn't exist anywhere else.

TTT Vulnerability
  • On September 27th, @Temar was notified of a vulnerability that allowed any user connected to our TTT server to access the IP address of any other connecting or disconnecting user in their session.
  • The source of this issue was a part of AHG's custom codebase that was being used on all of our TTT servers since their launch.
  • The vulnerability was identified and fixed within one hour of AHG being notified about its existence, but it took until today for us to review the entire codebase to confirm that there are no other vulnerabilities similar in origin.
  • The vulnerability itself was not easy to find, and required use of third party tools to extract information from the game.
  • We are not able to confirm if anyone exploited this vulnerability.
Users Potentially Affected: Anyone who's ever connected to an AHG TTT server before or on September 27th, 2021

Minecraft Vulnerability
  • On October 2nd, I was notified of a data leakage that was logging the IP addresses of every connecting Minecraft player to a third-party Discord.
  • The source of this issue was a Minecraft plugin that logged server console information to Discord channels. When we received the Minecraft plugins and configs from the original host, Temar and I were unaware that this logging would be included.
  • The leak was fixed within an hour of it being reported on the forums and a third director verified that the logs had been deleted.
  • The only two people that had access to these logs before they were deleted are Nathan776 and Jabba/Ethan.
  • We are informing the community about this in compliance with GDPR. We believe that the purpose of the logging was legitimate and proper while Nathan ran the server, but both parties seemed to be unaware that the logging would continue when the server content was transferred to AHG's own Minecraft server.
Users Potentially Affected: Anyone who's ever connected to the AHG Minecraft server since August 8th, 2021

On behalf of AHG, I apologize for these incidents. We take our users' privacy very seriously, and we will be implementing new development protocols to prevent these incidents from happening again.

If you have any questions, please feel free to post them here or DM me via Discord.
~Pierogi
 

8BitF0x

Active Member
Legacy
i can't believe you leaked my ip.
 

Victoria

Your local trans queen
Legacy
What are the chances of someone maliciously exploiting the leaked information?
 

Lunar

8:00 PM
VIP
Legacy
if US vanilla was still up this wouldn't have happened smh
yeah bro where's fucking VANILLA HELLO UNITED STATES VANILLA EU IS FUCKING DEAD ALWAYS AND THAT ISNT GETTING TAKEN DOWN BUT NAH LETS JUST REMOVE SOMETHING THAT EVERYONE LIKES
good server
 

Carnage

New Member
What are the chances of someone maliciously exploiting the leaked information?
for the minecraft server? unlikely. it was just a mistake of a plugin they had was set to log console stuff to a discord channel. They probably didnt check the configs they were given and used an old setup. Apparently only nathan/jabba saw it, although who knows.

The TTT bug is unlikely to be exploited either. No details on it was given but it may have been a weird bug that was just there and quickly fixed. Although the user who reported it probably have seen a few users IP before reporting.
 

Dark Pierogi

Special Properations
Director
Developer
Prestigious
VIP
Legacy
for the minecraft server? unlikely. it was just a mistake of a plugin they had was set to log console stuff to a discord channel. They probably didnt check the configs they were given and used an old setup. Apparently only nathan/jabba saw it, although who knows.

The TTT bug is unlikely to be exploited either. No details on it was given but it may have been a weird bug that was just there and quickly fixed. Although the user who reported it probably have seen a few users IP before reporting.
Yup, this sums it up pretty well.
 

Carnage

New Member
i dont understand this. someone explain it in first grade language
Minecraft server had a plugin that sent Console messages to a discord channel. This meant IP addresses were seen in that channel.

AHG had a bug (in the code used to make it) where IP's were exposed upon leaving and joining. This was patched tho and from what i understand its likely only 1 user knew it and reported it quickly.
 

TheExaltedPrime

Member
Legacy
So you're telling me, with a straight face, that my personal information was leaked, and now I am at risk. I connected to the Minecraft server, under my own personal account to see the progress. I intended to play on the server and make amends with those who I seek to make amends. (This statement is now redacted because I was playing on a server where people from SGM and AHG were present, I wasn't aware that it wasn't AHG Minecraft server, just a random server people were chilling on)

Now reading the shenanigan and how leadership responded to the thread with this:

0fb15fdb763418ebd80db4af8a375f5d.png


So our information and wellbeing was going to be kept a "high secret" until you can figure things out? How do I know if Jabba will use my IP and leak it? How do I know if he kept the IP logs hidden and now I have to trust that he didn't. He is also banned off the website and everything else. What is keeping him from causing more harm to the community.

I highly recommend that users flush their IP and get new external IPS and/or use VPNs from now on. I slacked for a week and now my personal IP was seen by other people who didn't need it.
 
Last edited:

Dark Pierogi

Special Properations
Director
Developer
Prestigious
VIP
Legacy
So you're telling me, with a straight face, that my personal information was leaked, and now I am at risk. I connected to the Minecraft server, under my own personal account to see the progress. I intended to play on the server and make amends with those who I seek to make amends.

Now reading the shenanigan and how leadership responded to the thread with this:

0fb15fdb763418ebd80db4af8a375f5d.png


So our information and wellbeing was going to be kept a "high secret" until you can figure things out? How do I know if Jabba will use my IP and leak it? How do I know if he kept the IP logs hidden and now I have to trust that he didn't. He is also banned off the website and everything else. What is keeping him from causing more harm to the community.

I highly recommend that users flush their IP and get new external IPS and/or use VPNs from now on. I slacked for a week and now my personal IP was seen by other people who didn't need it.
I don't see how you could have connected to the Minecraft server since August. I don't see you in the connection logs, and the IP was staff-only information. Could you elaborate on what you posted?

Also, Jabba signed an NDA that included not using any IP addresses. He'd have your IP if you ever connected to any of our servers anyways.
 
Top