This is a fabric mod that prevents known client-side exploits. It keeps the client safer by applying sensible, non-invasive protections by default.
Disclaimer: Use this mod at your own risk. The maintainers are not responsible for any bans or other consequences.
You can download the mod here: https://modrinth.com/mod/exploitpreventer
If you're interested in servers or plugins that are using these exploits then look in the Hall of Shame.
This mod currently protects against the following exploits:
- Sign translation vulnerability
- Local HTTP request via resource pack
- Device fingerprinting via resource pack
Link: https://wurst.wiki/sign_translation_vulnerability
A server can trick a client into resolving translation keys and sending the resolved text back to the server. This allows the server to get what mods are installed on the client (by checking for mod-specific translation keys or keybinds) and player languages etc.
Our fix: We prevent the client from resolving translation keys and keybinds on sign and anvil edit screen.
Link: https://alaggydev.github.io/posts/cytooxien/
A server can force the client to make HTTP requests to any IPs, including local services (e.g. http://localhost:8080) by sending a specially crafted resource pack URL. The server also can know whether the request was successful or not, or if the SHA1 hash of the response matches a specific value. The server can use this to detect what local services are running on the client machine (e.g. router, TVs, previously LiquidBounce).
Our fix: We block resource pack URLs that point to local IPs. Ideally, we would like to block all HTTP responses without a proper CORS header (just like a browser), but this would break backwards compatibility.
Link: https://alaggydev.github.io/posts/cytooxien/
A server can abuse the client-side resource pack cache to uniquely identify clients. This allows a server to track users across multiple sessions, even if they change their username or IP address.
Our fix: Each account would have its own resource pack cache directory. This way, the server cannot correlate resource packs between different accounts.
If you discover a bypass or any other client-side exploit, please contact nikoverflow on Discord or send an email to nikoverflow007@gmail.com. Include a brief summary of the issue, clear step-by-step reproduction instructions, the Minecraft version you used and any relevant logs or screenshots.
