README Based on https://gist.github.com/ajvpot/3115176 and https://github.com/nerdsinspace/leaky-leaky
Severity: Low
Discovery Date: 23 March, 2018
Public 28 July, 2018
This vulnerability affected all servers running AuthMeBridge.
An attacker could log into any account on any server running AuthMeBridge without needing to input a password, possibly causing item loss for normal players, or compromising the server security if the targeted account had administration powers, allowing such attacker to cause significant damage to the server itself.
This vulnerability is caused by incorrect usage of the Bungeecord Messaging Channel. (More about it here). This feature is used to communicate between the proxy server and the Spigot subservers, and allows to send and receive data in a specific channel. The "Bungeecord" channel is special, and the proxy blocks all the data that is not coming from the proxy server itself or from subservers, so players cannot affect it. Players can send data using all the other channels. AuthMeBridge uses the channel "BAuthMeBrdige" to send packets from the proxy to the spigot server to force session login, and that means any player can send the same data and get the same effect with no checks whatsoever.
To reproduce this an attacker needs to send a specific Payload packet that contains the same data as the ones used by the plugin. This can be achieved with a Forge modification or by using the Mod Coder Pack to edit the client itself.
The response to this didn't come from AuthMeBridge developers, but instead from AuthMe's dev team themselves. Compatibility with AuthMeBridge was dropped, and the devs advised server owners to use AuthMeBungee, an official resource made by them that isn't vulnerable to this technique.
Surely this exploitation of the vulnerability is now well known, but there are probably other plugins out there who shared (or still share) the same problem.