[MC-78491] Custom player heads exposing player's IP address - Jira

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Resolution: Fixed
Affects Version/s: Minecraft 1.8.3
Fix Version/s: Minecraft 1.8.4
Labels:
None

Confirmation Status:
Unconfirmed

Description

An adventure-map maker and anyone who can use /give can obtain the IP addresses of all logged-in players. This is done by giving them player heads where the attacker's site is substituted for minecraft.net in the skin URL, which causes the game to make a traceable HTTP request to download the skin.

The only fix I can see for this is to give players an option to download or not download skins from non-Mojang sources. Unless and until a player opted in, they'd see the custom heads as Steve or Alex heads.

Attachments

Issue Links

relates to

MC-79152 Security vulnerablities involving skulls

Resolved

Activity

People

Assignee:: Unassigned

Reporter:: Chris

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 09/Mar/15 5:10 AM

Updated:: 20/Apr/15 3:25 AM

Resolved:: 17/Apr/15 7:52 PM

CHK:: 19/Mar/15 2:48 PM