Uploaded image for project: 'Minecraft: Java Edition'
  1. Minecraft: Java Edition
  2. MC-78491

Custom player heads exposing player's IP address

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Resolution: Fixed
    • Affects Version/s: Minecraft 1.8.3
    • Fix Version/s: Minecraft 1.8.4
    • Labels:
      None
    • Confirmation Status:
      Unconfirmed

      Description

      An adventure-map maker and anyone who can use /give can obtain the IP addresses of all logged-in players. This is done by giving them player heads where the attacker's site is substituted for minecraft.net in the skin URL, which causes the game to make a traceable HTTP request to download the skin.

      The only fix I can see for this is to give players an option to download or not download skins from non-Mojang sources. Unless and until a player opted in, they'd see the custom heads as Steve or Alex heads.

        Attachments

          Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MC-79152 Security vulnerablities involving skulls

          • Resolved

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                Promethean Chris
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  CHK: