Minecraft server host Shockbyte puts players at risk

Shockbyte, one of Minecraft’s largest server hosting providers, left a misconfiguration on its systems exposing it to threat actors that could potentially have manipulated Minecraft server code.

  • Shockbyte is an Australian game hosting provider hosting many popular games, including Minecraft, Counter-Strike, and others.
  • The company leaked sensitive data through a publicly accessible git configuration file.
  • The git configuration file could’ve allowed malicious actors to access Shockbyte’s source code, putting their internal systems and clients at risk.
  • Cybernews contacted Shockbyte, and the issue was fixed.

The Cybernews research team discovered that Shockbyte, a renowned name in Minecraft server hosting, had a publicly accessible git configuration file hosted on its website and was at risk of leaking its source code.

Shockbyte is widely recognized for its game-hosting services. While Minecraft remains the company's primary focus, Shockbyte also hosts third-party servers for other popular games such as Counter-Strike: Global Offensive, Assetto Corsa, and Left 4 Dead. Founded in 2013, the company claims to have a customer base of 500,000 users and annual revenues reaching $10 million.

Git file
git configuration file | Image by Cybernews

By exploiting the leaked configuration file, malicious actors could’ve manipulated the company’s website and moved laterally to the game servers hosted by Shockbyte.

Consequently, they could’ve also manipulated code running on the Minecraft servers, affecting not only players who directly interact with the service but also unsuspecting individuals who have never engaged with it.

Potential access to source code

The leaked configuration file included the git repository URL address and token used to access a GitHub repository. While the leaked token had a limited lifespan and was already expired, the gravity of the leaked information is high.

The leaked URL and token could potentially enable threat actors to detect when the website undergoes updates, thereby generating fresh and valid tokens for the duration of the update process.

Consequently, attackers can seize the opportunity to download the website's source code and analyze it for hardcoded credentials and vulnerabilities, thus arming themselves with potential exploits to launch targeted attacks against the compromised system.

By further exploiting the website, attackers could also modify the code to skim payment information or install malicious software onto both customer devices and the servers hosted by the service.

Leaked data:

  • The website’s source code private repository location and credentials – CI Job token.
  • Git index file.

Among the leaked sensitive information, researchers also stumbled upon a git index file. The index file houses a compilation of file and folder names stored within the repository.

This compilation reveals valuable information such as dependencies, libraries, and their respective versions, which can be exploited for potential attacks.

By decoding the index file, attackers can attain partial access to the source code without directly engaging with the repository itself.

The company’s response

Cybernews contacted Shockbyte regarding the issue, and it was fixed. The company admitted it had “mistakenly deployed .git directories” and claimed that measures have been taken to address the issue and prevent the deployment of these directories in the future.

According to the company, they patched the issue prior to the notice. However, some old files continued to be publicly accessible.

“Although the directories are still publicly accessible on the web server, any included tokens are expired,” wrote Shockbyte. “It has been deemed that no sensitive information is contained in the files.”

Following the publication of Cybernews findings, the company publicly disputed some of the findings. Since we can assure the accuracy of our research and the article itself, we chose not to amend the article. However, with journalism’ principles at our heart, we are sharing the following statement by Shockbyte.

In a correspondence with Cybernews, the company once again acknowledged the presence of the files but denied the fact it posed safety risks. They claimed that the tokens were expired, read-only, and not accessible via any Shockbyte domain.

“The token in question was used by an automatic deployment pipeline which temporarily creates the read-only token to deploy code changes, then immediately invalidates the token upon completion. This means the read-only token was only valid for a matter of seconds,” claimed the company.

Also, the company affirms that the web server in question does not communicate with Shockbyte’s billing system or game servers, so does not pose any risk no risk to customers’ services or data.

Staying safe

To mitigate the risks of cyberattacks, companies should:

  • Always secure the configuration and index files by making them inaccessible to the public.
  • Ensure that all accounts with repository access have two-factor authentication (2FA) enabled.
  • Accounts should be used exclusively in secure environments to prevent session cookie attacks.