The New Eden website and forums are now in an archived state. Our community is now only on Discord.
The New Eden website and forums are now in an archived state. Our community is now only on Discord.
For some time now a bug existed in the New Eden server setup, which lay there silently until it was discovered and exploited a few weeks ago.
The people who exploited the bug were able to gain high level access to in-game features and as a result were able to use WorldEdit to cause destruction on a massive scale. The areas that were effected are:
Essentially when you connect to New Eden at play.neweden.co you first hit what we call the Proxy Layer, this is where among many other things your Session ID is checked with Mojang to make sure that you are who you say you are. It prevents someone just logging in and tricking the server into thinking they are someone else.
The Proxy Layer then connects you to what we call the Server Layer, that being the actual Minecraft server that hosts the world that you see and interact with. So when you switch from say the Hub to Survival you're still connected to the same Proxy but the actual server you're on changes.
The bug that existed allowed those individuals to completely bypass the Proxy Layer and connect directly to the Server Layer, meaning that they were able to bypass the checks that happen with Mojang, and so pretend to be someone who they aren't. In this case they tricked the Server Layer into thinking that they were me, and so gaining access to high level commands and in this case unrestricted use of WorldEdit.
After investigating this there is no evidence that this bug was exploited in the past, and it was only possible to exploit under specific conditions by individuals who knew how to exploit it.
The first thing that was done was to secure our setup to make sure this bug was patched, luckily it wasn't particularly complected to fix and so was done not long after the initial investigation.
Next there was the process of undoing any damage done, and unfortunately it wasn't very straightforward.
Any time you perform an action on Survival or Creative, such as place or break a block this is logged. So for every block placed or broken we have a record of it in a large database. This is what allows the Community Team to fix any minor griefing.
Unfortunately another bug existed which meant that WorldEdit wasn't being logged. This was mitigated by the fact that in Survival it's not possible for anyone other than Admins to make changes using WorldEdit, and in Creative WorldEdit is restricted to individual Plots, so only those who have access to a Plot can use WorldEdit in it. This meant that until now this particular issue hadn't been a problem.
On top of that the automated backup processes that are supposed to make full backups of our worlds on a regular basis weren't functioning properly.
The good news is all of the above issues and bugs have now been fixed, this is partly why there hasn't been much detailed communication around this until now.
The less good news is that while most of the damage was undone, due to a combination of the issues mentioned above, it wasn't possible to fully undo all of the damage caused.
Because of this you may notice some of the following issues:
Thankfully many people have pulled together to help rebuild areas that have been effected. @Shadow_Chan_YT along with @TrueCircuit and @Westuari have built a new spawn for Creative that looks amazing, please do check it out and give them a cookie! There have also been efforts to help fix some Creative Plots that couldn't be totally restored and I'm grateful for those who have offered to help with this.
If you're interested in helping I'm also looking for people to help build new continent and island spawn points, so please do reach out if you're interested.
While I do apologies for the inconvenience caused over this period I want to reassure everyone that we have taken every measure possible to ensure that something like this does not happen again in the future. In the highly unlikely event that something like this does we are now more prepared than ever to deal with this smoothly and without any long term damage.
Lastly I wanted to note that in the future I will be looking more closely at how we can put more changes and processes in place so that in the highly unlikely event something like this does come up any attempts to exploit it will have as minimal an impact as possible. Should any more changes happen as a result of this I'll be sure to keep you all updated.
As always if you have any questions or concerns please do not hesitate to reach out.
Thank you
-Aaron