Skin files are not filtered – transferring malware to Minecraft players via skin files

The bug

Skin files uploaded to minecraft.net are not filtered. Parts of the file which do not belong to the skin aren't removed and remain in the file on the server. Since Minecraft caches skins in C:\Users\<username>\AppData\Roaming\.minecraft\assets\skins, every skin file a user sees in Minecraft is saved to their PC. If someone uploads a skin to minecraft.net containing malware code, this code isn't filtered and ends up on the PC of innocent users.

How to reproduce

I don't know if there are other languages which can be used here, but for this I used VBScript embedded in an HTA file. The VBScript here is completely harmless and just runs calc.exe on Windows PCs.

<html>
<head>
	<script language="VBScript">
		Sub run
			Set objshell = CreateObject("WScript.Shell")
			objshell.Run "calc.exe"
			self.close()
		End Sub
	</script>
</head>
<body onload="run()"></body>
</html>

This code can simply be appended to a skin file using any text editor. After uploading the skin with the appended code to minecraft.net, joining any server will download the file with potentially malicious content to the PC of every player on the server. To make it easier for me to find the skin in the cached skins folder, I completely cleared this folder first. After that, I joined a singleplayer world, and, tadaa! This file appeared in my skin folder and it is indeed the skin file with the appended code I uploaded to minecraft.net.

Conclusion

Even though the file has to be run by the user or a program on the user's PC to actually pose a threat to anyone, this should be considered a security breach as it makes it possible for anyone to spread potentially malicious files via Minecraft.