Image: Microsoft

Bug in Minecraft mods allows hackers to exploit players' devices

Researchers have found a critical security hole in Minecraft mods allowing hackers to run malicious commands on the game’s servers and compromise clients’ devices.

Dubbed BleedingPipe by the Minecraft security community (MMPA), the vulnerability allows full remote code execution on gamers’ devices and servers running popular Minecraft mods — player-made changes to the game that can add new items, features, or gameplay elements.

Minecraft is the best-selling video game in history, with over 238 million copies sold and nearly 140 million monthly active players. The game is now owned by Microsoft.

According to the MMPA, the BleedingPipe bug has already been exploited many times but researchers didn’t specify how many Minecraft players were affected. The flaw impacts many Minecraft mods mostly running on the popular modding platform Forge, which uses unsafe deserialization code.

Deserialization is the process of converting complex data from a serialized format back into its original form, which can be easily stored or transmitted. If not implemented carefully, it can be exploited by attackers and lead to remote code execution.

According to MMPA, any version of Minecraft can be affected by the flaw if an impacted mod is installed. The number of affected Minecraft mods exceeds three dozen.

Researchers first became aware of this Minecraft exploit in March 2022 and quickly patched it. However, earlier this month BleedingPipe was used by hackers to steal players' Discord and Steam session cookies.

In early July, a Minecraft player who goes by Yoyoyopo5 was hosting a public server with Forge mods, and during a live stream an attacker exploited the BleedingPipe vulnerability to gain control and execute code on all connected players' devices. Yoyoyopo5 reported in his post about the incident that the hacker used this access to pilfer information from web browsers, Discord, and Steam sessions.

After the initial reports, researchers discovered that threat actors scanned some Minecraft servers to mass-exploit vulnerable ones, likely deploying a malicious payload onto affected servers.

“We do not know what the contents of the exploit were or if it was used to exploit other clients, although this is very much possible with the exploit,” MMPA said.

To protect players’ devices from BleedingPipe, MMPA recommends downloading the latest release of impacted mods from the official Minecraft channels.

“We recommend that you take this seriously,” researchers said.

The game developer has not yet responded to Recorded Future News' request for comment.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.