It is possible to obtain a user's IP address via the remote skin upload feature

The bug

minecraft.net does not download skin images from remote hosts itself, but rather lets the end-user fetch the skin image from the remote host. This makes it possible for an attacker to obtain a user's IP address by simply monitoring accesses to the skin file on their server.

How to reproduce

Go to iplogger.org and create a URL / Image logger, then paste in the URL of a skin, image or any URL and paste the resulting "IPLOGGER link" at the end of this URL: https://minecraft.net/de-de/profile/skin/remote?url=.

After that, simply navigate your web browser to the resulting URL and notice that after logging in, the the IP address of your network shows up in the "Logged IP's" list.

Here's a video showing the bug in action using a custom Java tool providing an IP logger link.