Name of the Vulnerable Software and Affected Versions PocketMine-MP versions 3.x

Description This issue affects Minecraft Bedrock authentication, where the protocol encryption is inseparably linked to the authentication process. Servers directly connected to the internet are vulnerable, but those behind a proxy are not, provided the proxy supports protocol encryption. The problem arises because the verification process only ensures the token was issued by Microsoft, not that the client possesses the corresponding private key. This allows for a login replay attack, where an attacker sends a captured login from another session. The attack can be prevented by enabling encryption, which ensures the client's authenticity. The estimated number of potentially affected devices is not specified. Real-world incidents where this issue was exploited are not mentioned.

Technical details include:

Recommendations For PocketMine-MP version 3.x: Update to version 4.x or apply the fix from commit d28be4eaf24a890f7ef110a51181a3d806a6acca to resolve the issue. As a temporary workaround, consider using a proxy that supports encryption between the server and players, ensuring the server only accepts connections from the proxy. Restrict access to minimize the risk of exploitation.