====== Sign Translation Vulnerability ======
The sign translation exploit ([[https://bugs.mojang.com/browse/MC-265322|MC-265322]], no CVE assigned) is a vulnerability affecting Minecraft [[mc>Java Edition 1.20]] ([[mc>23w14a]]) and later versions that allows malicious servers to obtain private information about players, such as their language, keybinds, and installed client-side mods.
This vulnerability has been exploited in the wild, causing real harm to real players.((https://github.com/JustAlittleWolf/ModDetectionPreventer/issues/6#issuecomment-2079826463)) No official patch is available from Mojang.
The sign translation exploit is //not// limited to detecting client-side mods like Wurst. It leaks tons of information about vanilla Minecraft players as well, such as their language and keybinds. It is in everyone's best interest for Mojang to patch this vulnerability as soon as possible.
===== How It Works =====
[[mc>Raw_JSON_text_format|Minecraft's rich text format]] has two problematic features: translated text and keybind text. Translated text takes a given translation key, for example ''gui.cancel'', and displays it in the client's preferred language, for example ''Cancel'' in English or ''Abbrechen'' in German. If the client has no translations for the given key, it instead displays the key itself, so for example you would see ''gui.cancel'' displayed on the cancel button. Keybind text is similar, but it assumes that the translation key is for a keybind and displays what button that keybind is set to. For example, a translatable text of ''key.forward'' resolves to ''Walk Forwards'' in English, but a keybind text of ''key.forward'' resolves to ''W'' with the default keybinds.
What makes these features problematic is that they also work with modded translations and keybinds. For example, keybind text for ''of.key.zoom'' might display ''C'' if OptiFine is installed, but it will always display ''of.key.zoom'' if OptiFine is not installed. While sketchy, this behavior is not normally an issue, since this text is only displayed on the user's screen and never sent to the server.
However, as of 1.20, when a user edits a sign, all of its content is turned into plain text so that it can be edited. This means any translation/keybind text is resolved on the client-side, depending on the player's language, keybinds, and installed mods. And then when they save their changes, that unformatted text is returned to the server.
Servers exploiting this vulnerability don't wait for a player to right a sign or to click save, however. Instead, they can simply force-open the sign edit screen and instantly close it again. As a player, you never actually see the screen open while all of this data is being harvested from you.
The fix in [[update:Wurst 7.41.1]] was to completely prevent Minecraft's rich text format from resolving any of Wurst's translations or keybinds. They will simply fail to resolve as if Wurst wasn't installed, not just in signs but anywhere formatted text is used in Minecraft. So, if a similar exploit is discovered in books, for example, then Wurst will not be affected by it. (After the release of Wurst 7.41.1, a similar exploit was indeed discovered. Not in books, but in anvils.((https://github.com/JustAlittleWolf/ModDetectionPreventer/commit/7e6a44050d45b4e3faa6bde60b54320f3cd3b258)))
Ideally Mojang would stop signs from leaking all this data in the first place, but this is something that only they can do. If Wurst fixed this leak, the signs of Wurst users would look different than the signs of vanilla Minecraft users, which would again allow servers to detect that Wurst is installed.
===== Useful Command for Testing =====
The following command places a sign that can be used to test if a given Wurst Client installation is vulnerable to the sign translation exploit:
/setblock ~ ~ ~ oak_sign{front_text:{messages:['[{"text":" "},{"translate":"key.wurst.zoom"}]','[{"text":" "},{"keybind":"key.wurst.zoom"}]','[{"text":" "},{"translate":"key.forward"}]','[{"text":" "},{"keybind":"key.forward"}]']}} replace
With an up-to-date Wurst Client installation in Minecraft 1.21 (which is still vulnerable), the sign should say the following:
key.wurst.zoom
key.wurst.zoom
Walk Forward
W
If Mojang properly fixes the vulnerability in a future Minecraft update, the sign should instead say the following:
key.wurst.zoom
key.wurst.zoom
key.forward
key.forward
And if used with an older, unpatched version of Wurst, the sign will say the following:
Zoom
V
Walk Forward
W
===== See Also =====
* [[update:Wurst 7.41.1]]
* [[https://wurstforum.net/d/447-wurst-7411-security-fix|WurstForum thread for Wurst 7.41.1]], with more explanations about how the exploit works
* [[https://github.com/JustAlittleWolf/ModDetectionPreventer|Mod Detection Preventer]] - discontinued, but the repo contains other technical details about the exploit
{{tag>security stealth}}