In yet another joke, a Brazilian hacker managed to make Minecraft available directly from the servers of the Supreme Court. Arthur Carrenho, a researcher and university student at the Centro Universitário Municipal de Franca, opened up a vulnerability in the official website of the Brazilian court by making one of the first versions of the Microsoft game available on official links.
Arthur “was just training” when he found the breach in May 2019. After a year and without being fixed, the hacker decided to play around with the condition of the page by injecting an XSS – a type of rudimentary vulnerability that allows you to redirect the user to a page with the same domain, but belonging to the attacker.
“I found the page and realized that it looked old; I thought about injecting XSS and it worked! ”he said in a conversation. “I decided to make a joke due to the current situation and to call attention to [the vulnerability] being corrected”, he adds.
The technique is simple, but it can hurt the integrity of multiple users. By directing them to a page visually identical to the expected destination, ensuring trust to the page, the victim can provide sensitive data to the attacker. This, in entities such as the Federal Supreme Court, is an extremely serious occurrence.
The page injected by Arthur is still on the air at the time of writing this article. In it, it is possible to enjoy one of the first versions of Minecraft, especially named STF Craft.
Arthur’s second “joke”
In June last year, Arthur Carrenho performed an even more remarkable feat. The researcher applied the same strategy to the servers of Bank of America, the second largest bank holding company in the United States. The XSS injection ensured that the Doom game was played directly from the institution’s servers.