2026 Cross-Site Scripting Attack

From MinecraftOnline
Jump to navigation Jump to search

On 12 April 2026, getplayerhead.sh?Darkphix&16.png Darkphix performed a Cross-Site Scripting attack on this Wiki. It was vulnerable due to using a highly outdated version of MediaWiki. This was exacerbated by failing to protect frequently-included templates. He inserted code into these templates. This code stole user credentials and tried to backdoor the server itself. The admins responded by blocking the attacker, reverting his changes, updating the Wiki software and protecting key templates. If you used the wiki before 22 April 2026, it is highly recommended that you change your password and that of any site that you used the same password for. Always use a strong, randomly generated password. Never use the same password on multiple sites.

The attack was enabled by the server using an outdated version and failing to protect key pages. At the time, the Wiki used MediaWiki 1.35.13. Unfortunately, this version hadn't been supported since 21 December 2023, leaving the Wiki vulnerable to unpatched vulnerabilities. The admins had planned to update to the 1.43 series, which is supported until December 2027. However, the update had failed. Most pages on the Wiki use one or another template. In particular, the Infobox template and the User template are used very commonly; edits to these templates will impact many pages. Despite this, they weren't protected. Any registered player could edit these templates.

This is exactly what getplayerhead.sh?Darkphix&16.png Darkphix did. On 12 April 2026, he maliciously edited these templates to include cross-site scripts and exploit unpatched vulnerabilities in the Wiki software. These scripts had two goals. The first was to steal the IP address, username and password of users browsing the wiki. The other goal was to compromise the server itself by running shell scripts from admins' Wiki accounts.

The admins discovered the attack on 20 April. They immediately banned getplayerhead.sh?Darkphix&16.png Darkphix and reverted his edits. They took the Wiki down while they and getplayerhead.sh?Bartek_kx&16.png Bartek_kx investigated the attack. The credential-sniffing attack likely worked. While the login page was protected, the infected templates code that made the user's browser send the user's credentials to him. The other payload - the backdoor - doesn't seem to have been triggered. When putting the Wiki back up on 22 April, they made the 70-odd players who'd used the Wiki recently reset their passwords. Other users were advised to also do so. To patch the underlying vulnerabilities, have updated the Wiki to MediaWiki 1.43 and have promised to keep it up to date going forwards. Template pages are now also protected so that only admins may edit them.

See Also

References

  • getplayerhead.sh?BlueBlaziken&16.png BlueBlaziken and getplayerhead.sh?Anna_28&16.png Anna_28, 15 April 2026, discussion of Wiki version, Wiki channel on MinecraftOnline.com discord, [1].
  • MediaWiki wiki contributors, 2026, 'MediaWiki 1.35', [2].
  • MinecraftOnline admins, 20-21 April 2026, official announcements regarding the attack, MinecraftOnline.com discord, [3].