Uploaded image for project: 'Minecraft: Java Edition'
  1. Minecraft: Java Edition
  2. MC-78491

Custom player heads exposing player's IP address

          Details

          • Type: Bug
          • Status: Resolved
          • Resolution: Fixed
          • Affects Version/s: Minecraft 1.8.3
          • Fix Version/s: Minecraft 1.8.4
          • Labels:
            None
          • Confirmation Status:
            Unconfirmed

            Description

            An adventure-map maker and anyone who can use /give can obtain the IP addresses of all logged-in players. This is done by giving them player heads where the attacker's site is substituted for minecraft.net in the skin URL, which causes the game to make a traceable HTTP request to download the skin.

            The only fix I can see for this is to give players an option to download or not download skins from non-Mojang sources. Unless and until a player opted in, they'd see the custom heads as Steve or Alex heads.

              Attachments

                Issue Links

                relates to

                Bug - A problem which impairs or prevents the functions of the product. MC-79152 Security vulnerablities involving skulls

                • Resolved

                  Activity

                    People

                    • Assignee:
                      Unassigned
                      Reporter:
                      Promethean Chris
                    • Votes:
                      0 Vote for this issue
                      Watchers:
                      3 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved:
                        CHK: