Minecraft Mods Can Hack You

Recently a new bleeding pipe vulnerability was published that made millions of Minecraft players vulnerable to being hacked but is this vulnerability anything new and should you be concerned about what Minecraft mods you install now before we get into bleeding pipe I want to talk about Minecraft and vulnerabilities literally

At the start of June this year there was a massive virus called a fracturizer fracturizer started off as several innocent looking malicious mods and plug-ins that were uploaded by the malware Creator on bucket plugins or on curse forge’s Minecraft mod section now this malware was composed of stages and

This is from the beautiful write-up of the fracturizer malware which I’ll have Linked In the description but they have this diagram in Comic Sans with Subway Surfers on the side so if you get bored just take a gander to the right but the malware starts off in stage 1 where you

Download the jar file and you add it to your Minecraft mods in the background it would download another jar file called dl.jar and it would save it to the memory of the computer so that it didn’t get detected by your antivirus that would be stage one now this dl.j our

File would download another jar file it’s an obfuscated jar file called lib webgl64.jar now this malicious jar file would hide in the cutest spot of all time so if you open up your computer right now you press the Windows key and the r key together you get this run

Window and if you put in percent Local app data percent and you press OK it’ll pop up with your local app data now if you look through this local app data folder you might notice that you have a Microsoft Edge wait I have I have two Microsoft Edge folders but the Microsoft

Space edge is actually part of the malware the malware would hide itself inside of this folder and just wait while this is going on stage 2 will also make it where this file will open on Startup and welcome to stage three stage three is client dot jar and this is a

Massive bundle of naughty malware it steals your login info your usernames and your passwords that are saved in your browser it also steals your crypto wallet if you are a crypto nerd if you’re an idiot sorry I messed up the phrasing there the final thing this

Malware would do is that it would scan your whole entire system looking for DOT jar files and it would convert those perfectly fine files into infected jar files and doing this makes it hard for you to get rid of the malware but think about this for a second what if you were

A Minecraft mod developer you accidentally download this malware and now your Minecraft mod contains malware and you upload that malware to curse Forge and this is extremely bad if you are a super popular Minecraft mod maker because now your popular Minecraft mod just became a piece of malware that will

Steal everyone’s usernames and passwords and those passwords can even go to your bank account by the way now fast forward to today PC Gamer released an article saying Minecraft exploit makes it completely dangerous to play with unpatched mods right now and they’re unpatched because a new vulnerability

Came out called bleeding pipe in this blog post is by the mmpa now what is this exploit while bleeding pipe is an exploit being used in the wild allowing full remote code execution on clients and servers running popular Minecraft mods on these versions of Forge and also

Other versions now what full remote code execution means for the people that aren’t on their computer 24 7 is that someone could send code to your Minecraft client telling your Minecraft client to find your usernames and your passwords stored on your computer and send it off to the hacker server it

Turns out the BS alarms are going off this is the common weakness enumeration website number 502 deserialization of untrusted data translation this is a common issue this is not some new vulnerability this has been a thing for a while and how long you might ask well

Uh this thing’s been known for 17 years now I could read through this whole entire article and explain what deserialization means but I need Subway Surfer footage and I need your attention which is impossible in this day and age so we’re looking at photos basically if

You’re on your computer you need to send some information to a website like your first name so you get your first name it gets serialized so it gets turned into ones and zeros It Gets Sent across the interwebs to the website you’re trying to enter your first name into and it

Deserializes it converts the ones and zeros into your first name everything’s all hunky-dory now what’s going on with those Minecraft exploit is that the Minecraft server might be asking for some sort of information let’s just say your Minecraft username well a malicious hacker could instead of sending their

Minecraft username let’s say they send some code that code gets serialized It Gets Sent across the internet then the Minecraft server will de-serialize it and now it has that malicious code now what you’re supposed to do is you’re supposed to look at that code and say I’m expecting a Minecraft username you

Know something simple but instead I got 30 pages of code that’s not what I was asking for and you’re supposed to throw that stuff away but in the case of a whole bunch of Minecraft mods that’s not the case and in fact you’re at serious

Risk and at risk got a whole lot worse this whole blog post I’m talking about actually really made things worse because what you’re supposed to do is that if you stumble across a vulnerability the ethical thing you’re supposed to do is follow the hacker one vulnerability disclosure guidelines but

What these boiled down to is basically if there is an issue you’re supposed to keep it quiet so that people can exploit it and cause problems things were on the down low in fact there was actually a forge Farm post back on July 9th that showed this vulnerability live it was on

A live stream we’re supposed to be on the down low well mmpa said however this post did not go mainstream and most were not aware so of course let’s keep making this blog post and make sure everyone knows that Minecraft can be exploited and there could be a lot of problems in

Fact mmpa even knows this is a bad idea because they say it right here after this series of announcements the vulnerability was promptly patched on a specific part of Minecraft mods but it is still present in most servers with these mods as well as the original

Versions of these mods this is the polar opposite of ethical disclosure thankfully in the background there were people that actually wanted to get this problem solved in an ethical manner I’ll have this Linked In the description it’s a little GitHub page here and it talks about the vulnerability now this GitHub

Post is way more informative than all of this crap because it tells you how to protect yourself the other blog post kinda has it but it’s not really easy to follow and it also tells you some of the affected mods now I should make you aware that this is not a complete

Exhaustive list so if you don’t see your Minecraft mod in this list that doesn’t mean you’re safe so it’s probably a good idea to uh follow these steps here just to show you in contrast the proper way you’re supposed to approach this stuff is literally by reading what the goal

Plan was with these contributors on this GitHub page initially we were trying to investigate the whole issue privately and responsibly but all those plans were foiled since a group named mmp8 decided you know what let’s just publish a blog post and that’s the blog post I’ve been

Looking at about the issue of course they have some critiques about it any missing factors forced to release a statement and attempt to fix the issue immediately with the Band-Aid solution but the main thing I want to point out is that these people they’re literally putting millions of modded Minecraft

Users at risk that was a lot of info and I have even more for you because you still need to be concerned about Minecraft mods especially if you get them sent by someone you know now just so we understand what’s going on we know from the fracturizer incident that

Minecraft mods can contain malware that steal your username and your password your Discord account your crypto wallet these dot jar files can be just a nest of malware and I’ve personally seen a rising number of cases where maybe a friend will DM you on Discord and they’ll tell you to install a Minecraft

Mod maybe it’s one of your homies from high school he’s got that girlfriend Minecraft mod and you just want to get down freaky together so you download the Minecraft mod and you run Minecraft everything’s all hunky-dory well it actually turns out your friend messaged you and they said that they actually got

Their computer hacked and that they didn’t send you that message in fact that message was sent by the hacker you can connect the puzzle pieces together and you realize that you just got hacked and now your Discord account is sending out all those DMS talking about this Minecraft girlfriend mod when you’re

Downloading Minecraft Mods make sure you download them from a trustworthy place like looking at bucket plugins or going on curse Forge and make sure it’s from a reputable developer and also just general advice get a password manager like bit Warden I use it I love it it’s super great what about Minecraft

Anti-cheat tools well this is Echo dot AC and my goodness I have a booger to pick with these guys this is known as a screen share tool it’s just anti-cheap by the way but it is used for Minecraft PVP now antig is a hot topic for example

You might have seen this some ordinary gamers video talking about valorin’s anti-cheat Vanguard and the issue with Vanguard is that it both has privacy concerns and security concerns now my thought process is that if people are making a stink about a big company like Riot games then why the hell would I

Trust a company called Echo dot AC that I you’ve probably never heard of before trying to do something similar now of course what does Echo dot AC do well you uh download a little program it goes on your system and it scans absolutely everything checks if you have a VM your

Connection type what’s your recycling bin last time you cleared it your country your operating system the scan Speed the game version it checks your Minecraft accounts your Minecraft versions your resource packs if you have any recording software oh oh there’s file logs too it’s looking through your local programs your Opera GX

Um why would I allow some random company to scan my computer just so people know I’m not cheating in a Minecraft server I’m giving up a massive chunk of my privacy just to play on a Minecraft server but what about security well uh uh look at this post it’s called Echo no

Get it it’s it’s a pun because the website’s name is Echo but I’ll have this Linked In the description because it’s very nerdy but it’s talking about this massive vulnerability they go through the whole entire bug they do a lot of work quite frankly but what ends

Up happening is that if people use this x-plate they can do one of two things they can do privilege escalation which means they can make any process so possibly malware run at system privileges which is uh not good but the second thing this thing’s gonna blow you away this anti-cheat software in fact

Allowed you to cheat it turns out this exploit in the article has been extensively used for cheating because echo.ac has been actually whitelisted by easy anti-cheat and the reason why they got whitelisted is because back in May 2022 hundreds of Echoes own users these people that use this thing and even paid

For it which shocks me that people would even spend a dime on this thing actually got banned for it my point still stands though why would you put yourself at a potential security risk and a potential privacy Risk by using some sort of Minecraft anti-cheat that’s just stupid I wouldn’t

Use this thing in a million years and this gets my mark of stay far far far far far away if someone tries to get you to install this thing don’t use it anyways bye bye I love you