-
Bug
-
Resolution: Fixed
-
Minecraft 1.10.2, Minecraft 16w33a
-
None
-
Gentoo Linux, OpenJDK 1.8.0_101, x86_64 Linux
-
Unconfirmed
Note: This affects every Minecraft version >=1.10, however, part of it (not informing the user about sending UUID information) has been fixed in 16w35a.
Since Minecraft 1.10.0, the information that the Snooper sends from the game to http://snoop.minecraft.net includes a field called "uuid". The code which generates it can be found in the class called by Main, commonly called "Minecraft", by looking for the string "uuid" with quotes.
Another way to check it is to use SHA1 to hash your UUID, with separators, as a string, and compare it to the "uuid" string shown in the Snooper Options.
As you can see, the field's value is a SHA1 hash of the player's UUID. The hash is not salted in any way, which means that an entity which has access to both the snooper data and a list of all UUIDs can create a list of SHA1->UUID mappings, and - due to the very low probability of hash collisions in normal conditions - effectively be able to map said SHA1 hash to the player UUID and de-anonymize the information contained in the snooper data.
This isn't really a vulnerability in the practical sense, perhaps a theoretical one, as prior knowledge of the UUID is still necessary to de-anonymize a packet - and the pool of potential UUIDs is far too large to efficiently compare them, unless you have a list of actually existing UUIDs (which is far smaller). However, the Snooper communications happen over unencrypted HTTP, which means that snooping on the Snooper is possible and a third party knowing your UUID (which is, indeed, unlikely) can become aware of additional details about the machine you're playing from.
One important step to take would be to prevent snooping on the Snooper data by third parties by using HTTPS (or, at the very least, prevent proxying the snooper domain by using some kind of verification).
I believe that the token usage should also be reconsidered, and ways of counting players to a reasonable degree of certainty which do not involve breaching their privacy (salting with the MAC address? It's possible in Java) considered.