Details
-
Type:
Bug
-
Status: Resolved
-
Resolution: Fixed
-
Affects Version/s: Minecraft 1.8.3
-
Fix Version/s: Minecraft 1.8.4
-
Labels:None
-
Confirmation Status:Unconfirmed
Description
An adventure-map maker and anyone who can use /give can obtain the IP addresses of all logged-in players. This is done by giving them player heads where the attacker's site is substituted for minecraft.net in the skin URL, which causes the game to make a traceable HTTP request to download the skin.
The only fix I can see for this is to give players an option to download or not download skins from non-Mojang sources. Unless and until a player opted in, they'd see the custom heads as Steve or Alex heads.
Attachments
Issue Links
- relates to
-
MC-79152 Security vulnerablities involving skulls
- Resolved