Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Craig Hale

Minecraft server hosting giant Shockbyte confirms there was no cause for concern following Git leak

best crossplay games: Minecraft character stand on top of a cave that creepers spill out of

A Git config and index file from one of the biggest Minecraft server hosting providers has been found online, and some users are understandably concerned, but the company behind the headlines assures us that everything is secure.

Australian company Shockbyte, which amasses annual revenues of as much as $10 million, provides hosting for a range of popular games, including Minecraft, Counter-Strike, and Assetto Corsa.

The news broke when the Cybernews research team brought it to our attention that Shockbyte had apparently "leaked access to its website source code, risking threat actors potentially manipulating code that runs on the Minecraft servers," however a deeper look into these claims confirm that this was not the case.

Minecraft server provider leaked source code

Cybernews says that attackers exploiting the vulnerability could not only have manipulated the company’s website, but also moved laterally to the game servers hosted by Shockbyte, thus manipulating code running on the Minecraft servers and affecting gamers directly.

Other Cybernews concerns are that attackers could modify the code to skim payment information or to install malware.

At the core of it, TechRadar Pro has confirmed that the source code has not been leaked and as such the website and associated gamers are not at risk. Payment skimming, code manipulation, and unauthorized access to the website have all been ruled out.

Shockbyte told Cybernews that measures had been taken to address what it admits to as having “mistakenly deployed .git directories.”

Cybernews said: “Considering the rapid growth of the gaming industry and the increasing reliance on server hosting providers, the security and privacy of users should be a top priority for companies operating in this space.”

The company confirmed in an email to TechRadar Pro:

  • "On June 22, 2023, Cybernews published an article regarding a Shockbyte web server that contained a public git config and index file.
  • Although these files were publicly accessible, there was no security risk posed to any party.
  • The config file contained an already expired, read-only access token to a git repository. As the token was not valid, it was impossible to exploit.
  • Cybernews originally reported this to Shockbyte on 15th May 2023, however, Shockbyte had already investigated the files and verified that the token posed no risk prior to this date.
  • The token in question was used by an automatic deployment pipeline which temporarily creates the read-only token to deploy code changes, then immediately invalidates the token upon completion. This means the read-only token was only valid for a matter of seconds.
  • In the article, Cybernews falsely alleges several risks this may have posed.
  • The web server in question does not communicate with Shockbyte’s billing system or game servers. Therefore, it still would have posed no risk to customers’ services or data even if the token was valid, and even if it was a fully-privileged token (it was not - it was read-only, and already expired)."

Shockbyte has since responded to Cybernews's allegations in a separate blog post.

While the accusations have been proven false, good Internet safety discipline is still vita. The advice to use strong passwords and two-factor authentication (2FA) still stands regardless of active risk statuses.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.