Uploaded image for project: 'Minecraft: Java Edition'
  1. Minecraft: Java Edition
  2. MC-78491

Custom player heads exposing player's IP address

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Resolution: Fixed
    • Affects Version/s: Minecraft 1.8.3
    • Fix Version/s: Minecraft 1.8.4
    • Labels:
      None
    • Confirmation Status:
      Unconfirmed

      Description

      An adventure-map maker and anyone who can use /give can obtain the IP addresses of all logged-in players. This is done by giving them player heads where the attacker's site is substituted for minecraft.net in the skin URL, which causes the game to make a traceable HTTP request to download the skin.

      The only fix I can see for this is to give players an option to download or not download skins from non-Mojang sources. Unless and until a player opted in, they'd see the custom heads as Steve or Alex heads.

        Attachments

          Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MC-79152 Security vulnerablities involving skulls

          • Resolved

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              Promethean Chris
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                CHK: