Blog

Latest news, tutorials and updates from the LiquidBounce team

Back to all articles
Minecraft servers are fingerprinting you!
November 10, 202516,572 viewsDevelopmentSecurity

Minecraft servers are fingerprinting you!

By Izuna

Servers have used resource pack requests to track players and, in some cases, to detect which client is being used. This goes beyond the known Translation Exploit, which has been patched in most clients.

Clients such as LiquidBounce, Meteor, and Wurst now come with a built-in fingerprint spoofer, so please update. If you remain on old versions, you risk being tracked across accounts and IPs. Older LiquidBounce builds could also be detected.

The Security Risk

The core issue is simple: servers can point the resource pack URL to any destination, and your game will attempt to fetch it over HTTP or HTTPS. This means a server can trigger web requests from your PC, including to localhost and your home network. In theory, this could hit a vulnerable router page, local services, or internal websites that should never be externally accessible.

This blog post explains how resource pack URLs can reach localhost and how per-user crafted resource packs can create a fingerprint that persists across IPs and accounts.

The Fixes

LiquidBounce's fingerprint spoofer uses a different data folder for each account you use, which eliminates the possibility of being detected using server resource packs. Similar fixes were implemented in Meteor and Wurst.

Since LiquidBounce runs a local HTTP server, it was also possible to check if a resource pack request succeeded against this server. This was fixed by introducing client authentication for the Interop Server, so even local software can no longer access it.

Additional Fixes via Mod

For players using the vanilla Minecraft client or other Fabric clients without built-in fixes, there is a Fabric mod called ExploitPreventer that patches all known client-side Minecraft exploits related to resource pack requests. It prevents insecure network requests to local addresses, stops translation key checks, and fixes device fingerprinting by isolating resource pack caches per account.

Starting with Minecraft version 1.21.10, ExploitPreventer will be included by default in LiquidLauncher.

Links