Table of Contents

Sign Translation Vulnerability

The sign translation exploit (MC-265322, no CVE assigned) is a vulnerability affecting Minecraft Java Edition 1.20 (23w14a) and later versions that allows malicious servers to obtain private information about players, such as their language, keybinds, and installed client-side mods.

This vulnerability has been exploited in the wild, causing real harm to real players.1) No official patch is available from Mojang.

The sign translation exploit is not limited to detecting client-side mods like Wurst. It leaks tons of information about vanilla Minecraft players as well, such as their language and keybinds. It is in everyone's best interest for Mojang to patch this vulnerability as soon as possible.

How It Works

Minecraft's rich text format has two problematic features: translated text and keybind text. Translated text takes a given translation key, for example gui.cancel, and displays it in the client's preferred language, for example Cancel in English or Abbrechen in German. If the client has no translations for the given key, it instead displays the key itself, so for example you would see gui.cancel displayed on the cancel button. Keybind text is similar, but it assumes that the translation key is for a keybind and displays what button that keybind is set to. For example, a translatable text of key.forward resolves to Walk Forwards in English, but a keybind text of key.forward resolves to W with the default keybinds.

What makes these features problematic is that they also work with modded translations and keybinds. For example, keybind text for of.key.zoom might display C if OptiFine is installed, but it will always display of.key.zoom if OptiFine is not installed. While sketchy, this behavior is not normally an issue, since this text is only displayed on the user's screen and never sent to the server.

However, as of 1.20, when a user edits a sign, all of its content is turned into plain text so that it can be edited. This means any translation/keybind text is resolved on the client-side, depending on the player's language, keybinds, and installed mods. And then when they save their changes, that unformatted text is returned to the server.

Servers exploiting this vulnerability don't wait for a player to right a sign or to click save, however. Instead, they can simply force-open the sign edit screen and instantly close it again. As a player, you never actually see the screen open while all of this data is being harvested from you.

The fix in Wurst 7.41.1 was to completely prevent Minecraft's rich text format from resolving any of Wurst's translations or keybinds. They will simply fail to resolve as if Wurst wasn't installed, not just in signs but anywhere formatted text is used in Minecraft. So, if a similar exploit is discovered in books, for example, then Wurst will not be affected by it. (After the release of Wurst 7.41.1, a similar exploit was indeed discovered. Not in books, but in anvils.2))

Ideally Mojang would stop signs from leaking all this data in the first place, but this is something that only they can do. If Wurst fixed this leak, the signs of Wurst users would look different than the signs of vanilla Minecraft users, which would again allow servers to detect that Wurst is installed.

Useful Command for Testing

The following command places a sign that can be used to test if a given Wurst Client installation is vulnerable to the sign translation exploit:

/setblock ~ ~ ~ oak_sign{front_text:{messages:['[{"text":" "},{"translate":"key.wurst.zoom"}]','[{"text":" "},{"keybind":"key.wurst.zoom"}]','[{"text":" "},{"translate":"key.forward"}]','[{"text":" "},{"keybind":"key.forward"}]']}} replace

With an up-to-date Wurst Client installation in Minecraft 1.21 (which is still vulnerable), the sign should say the following:

  key.wurst.zoom
  key.wurst.zoom
   Walk Forward
        W

If Mojang properly fixes the vulnerability in a future Minecraft update, the sign should instead say the following:

  key.wurst.zoom
  key.wurst.zoom
    key.forward
    key.forward

And if used with an older, unpatched version of Wurst, the sign will say the following:

       Zoom
        V
   Walk Forward
        W

See Also