On June 22, 2023, Cybernews published an article regarding a Shockbyte web server that contained a public git config and index file.
The article in question alleges many potential security risks which are false and unverified.
Although these files were publicly accessible, there was no security risk posed to any party as the files did not contain any valid tokens or sensitive information.
The Cybernews article was later followed up by several articles from various publications and syndicates.
Cybernews did not verify the claims in their articles. Unfortunately, this seems to be an example where a true situation was embellished with falsehoods to make a story.
The theoretical security risks in the article are pure speculation about risks that do not actually exist.
These risks do not exist, because the token was not valid and the repository in question is not linked to our billing system or game servers. Furthermore, the source code in question is a local version of an already publicly available software (and source code) - the Multicraft frontend panel.
Shockbyte remains available to their team to answer any questions, should they wish to research the situation.
The Facts
We want to be clear and transparent - our developers did make a mistake in publishing the git config and index files. However, this did not put customers or Shockbyte at any risk.
- The config file contained an already expired, read-only access token to a git repository. As the token was not valid, it was impossible to exploit.
- Cybernews originally reported this to Shockbyte on 15th May 2023, however Shockbyte had already investigated the files and verified that the token posed no risk prior to this date.
- The token in question was used by an automatic deployment pipeline which temporarily creates the read-only token to deploy code changes, then immediately invalidates the token upon completion. This means the read-only token was only valid for a matter of seconds.
- The repository in question was for a local version of the Multicraft source code. Multicraft is a public software, and the source code is already available for anybody to download here: https://multicraft.org/download/linux64
- In the article, Cybernews falsely alleges several risks this may have posed.
- The web server in question does not communicate with Shockbyte’s billing system or game servers. Therefore, it still would have posed no risk to customers’ services or data even if the token was valid, and even if it was a fully-privileged token (it was not - it was read-only, and already expired).
This means there was no risk of source code being modified, payment information skimmed, malware, etc, as alleged by these publications.
Shockbyte's Dedication to Security
Shockbyte has surpassed a milestone of 500K customers and has practiced rigorous safety measures for 10-years since it's founding in 2013.
Shockbyte has Development and IT departments that are extremely passionate about security, including the commitment to our customers, our website, our data, and your privacy.
How Shockbyte Keeps Players Safe
Every department in Shockbyte is extremely considerate when handling all forms of customer and player information, whether that be source code, payment details, or a support ticket.
If you wish to report any security concern to Shockbyte, we are eager to hear about it. If you find an issue, please direct all inquiries regarding the problem as well as any and all details available to security@shockbyte.com
Shockbyte is also proud to introduce our Bug Bounty Program: A bug bounty program is a reward-based initiative for individuals or groups who discover and report security vulnerabilities or bugs in software, websites, or digital infrastructure.
The purpose of bug bounty programs is to encourage security researchers, often referred to as "white hat" or ethical hackers, to identify and disclose potential weaknesses that could be exploited by malicious hackers. Currently, participants and reporters can easily get in touch with us via contacting the security team at security@shockbyte.com
